> Scanlogd is pretty much useless software. Why bother; it won't protect you. > > libnids is a network stack emulator; not a replacement for pcap. It just runs > in > parallel with the kernel using a lot of horsepower. It is for specialized > use. > > Pcap just puts your NIC in promiscuous mode, captures packets real fast, and > makes that data available to other programs for analysis. It does not need to > be > concerned with fragmentation, flags, or anything else. !!BUT remember, a NIC > in > promiscuous mode is a thing of beauty to a hacker. It cannot be secured or > monitored!! > > /* > Snort_inline is probably what you really want to build. It can be queued to > IPtables and will drop bad traffic, blacklist IP's, report port scans, detect > virus, whatever. Fragmentation no problem. pcap not needed. With a free > subscription to the rules (5000+) they can be updated daily by a cron job with > oinkmaster. Oh, and yes, it builds easily on hlfs and I use it 24/7/365. > */ > > Marty B. >
The reason I wanted Scanlogd was coz I have iptables rules like; $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level debug --log-prefix "Port Scan" $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP that I would like to get rid of. What I had though of was using scanlogd and writing a small script to monitor the scanlogd logfile and send me a message when the size of the logfile changes. Libnids-1.23 builds without any issues. It is just that when I rebuilt scanlogd (with Libnids support instead of pcap) scanlogd complains about sharing text segments, that's when I thought of checking libnids for TEXTREL. Anyway, the solution (snort_inline) you proposed makes better sense and that's what am pursuing right now. Will let u know if I have any issues building snort_inline. Thanks Marty, for the heads up. -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
