On Sun, Feb 18, 2001 at 09:27:26AM +0100, Pierfrancesco Caci wrote: > > :-> "Erich" == Erich Schubert <[EMAIL PROTECTED]> writes: > > >> The goal is reached, bad guys stay out, but I'd prefer to somehow > >> make portsentry check the data as well. I prefer to know if > >> someone scanned my network. Most of the information can be read > >> from the firewall logs, but it would require a big bunch of > >> scripts (pretty much rewriting portsentry) to see the big picture > >> with many scans. > > > For that i use logcheck and do log as few as possible. > > That's what I do, too, but I'd like to be able to set up something > more "real time", in the sense that I won't get to read nightly logs > until the morning after, and by that time the scripy kiddies already > are gone.
Set up snort with MySQL logging, run a script every 5 minutes to check for your favorite scans in the database. Tim -- Tim Sailer <[EMAIL PROTECTED]> Cyber Security Operations Brookhaven National Laboratory (631) 344-3001
