Chris Bagnall wrote:
> I tend to go the other way round, I have logging enabled on the default block rule, but then a
load of "block silently" rules that filter out common connection attempts that would otherwise
clutter the log.
> So far I don't log 135,137,139,445 (SMB), 1026-1027 (MSRPC), 1433-1434 (MSSQL), 2967 (Symantec
AV), 4899 (radmin).
> We see attempts on these ports every few seconds from random destinations, so there's nothing
useful to be gained by logging them, they're common and well-documented exploits looking for
> We log everything else, which a) isn't actually very much without the common exploits, and b)
means we can pick up fairly quickly on new exploits - e.g. we see many attempts to a specific port,
a quick google later and we can find out what that port's used for and some info about what they're
trying to exploit. A quick script in <insert choice of scripting language you're familiar with> can
query the logfiles every week and see what ports are scanned regularly, which you can then use for
Me too... It is fun to be ahead of the curve. :) See an uptick in a
specific port, read about a new vulnerability.