I've packaged a couple of scripts that tie into PortSentry which page me (and send email) every time one tries to connect to a port protected by PortSentry. One sends out a page based on the command line by using an email gateway (you'll have to figure out your own). The other does the work; it sends out the page, as well as formulating a big email with all the details possible about the source IP. This current script will, if the binaries are available, do the following (all against the source IP address): * whois (administrative contacts and IP block owner) * dig (name lookup and name servers) * traceroute (how long? what routers between here and there?) * tcptraceroute (same as traceroute, but uses TCP not ICMP - pierces some firewalls) * ping (how long does it take to get there?) * nmap (what ports do they have open? What are they running?) The last four also help to identify that this is a REAL host active on the network. The nmap option is in the script but not run by default: some sites could classify a nmap probe as hostile behavior (and perhaps illegal behavior). The nmap line is commented out. The package is at http://leaf.sourceforge.net/pub/oxygen/packages/alert.lrp Enjoy! _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
