Re: [psad-discuss] psad alert emails - run whois on target?
On Jul 23, 2009, dtakem...@thdfsg.com wrote: > Hi, > > On certain linux boxes, I have iptables setup to block and/or log outgoing > > connections, (as these boxes should never ever have a direct connection > to the internet) so a PSAD alert can warn me of a potential security > breach > or misconfigured program. > > In these cases however, the PSAD alert email includes a whois report on > the > source of the packets - which is a private IP. What I'm more interested > in > is a whois on the _target_ of the packets. > > How can I configure psad alerts to include the target whois instead? Hi, I know this is responding to a very old email, but I wanted to let you know that the psad-2.1.7 release tries to be smart about which IP (src vs. dst) it issues the whois lookup against. I believe that it probably offers the feature you hinted at above, but please let me know if not. Thanks, --Mike > Dean Takemori > Systems Support Supervisor > TD Food Group > dtakem...@thdfsg.com > -- > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
Re: [psad-discuss] psad alert emails - run whois on target?
On Jul 23, 2009, dtakem...@thdfsg.com wrote: > Hi, Hello - > On certain linux boxes, I have iptables setup to block and/or log outgoing > > connections, (as these boxes should never ever have a direct connection > to the internet) so a PSAD alert can warn me of a potential security > breach > or misconfigured program. > > In these cases however, the PSAD alert email includes a whois report on > the > source of the packets - which is a private IP. What I'm more interested > in > is a whois on the _target_ of the packets. > > How can I configure psad alerts to include the target whois instead? Ah, that is an interesting idea. psad does not currently support this, but I will add it in the next release. Thanks, -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint: E2EF 0C8A 5AA9 654C 4763 B50F 37AC E946 7F51 8271 > > > > Dean Takemori > Systems Support Supervisor > TD Food Group > dtakem...@thdfsg.com > -- > ___ > psad-discuss mailing list > psad-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/psad-discuss -- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
[psad-discuss] psad alert emails - run whois on target?
Hi, On certain linux boxes, I have iptables setup to block and/or log outgoing connections, (as these boxes should never ever have a direct connection to the internet) so a PSAD alert can warn me of a potential security breach or misconfigured program. In these cases however, the PSAD alert email includes a whois report on the source of the packets - which is a private IP. What I'm more interested in is a whois on the _target_ of the packets. How can I configure psad alerts to include the target whois instead? Dean Takemori Systems Support Supervisor TD Food Group dtakem...@thdfsg.com-- ___ psad-discuss mailing list psad-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/psad-discuss
