SUMMARY: [m0n0wall] IDS or log watching utilities

From:	Jeffrey Goldberg <jeffrey at goldmark dot org>
To:	Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
Subject:	SUMMARY: [m0n0wall] IDS or log watching utilities
Date:	Fri, 8 Oct 2004 12:00:41 -0700

On Oct 6, 2004, at 3:29 PM, Jeffrey Goldberg wrote:

> I would like to know about what sorts of utilities exist for watching 
> firewall logs as part of some sort of intrusion detection system.
>
> My specific immediate need is rather small [...]

I received helpful pointers to

   Snort:  http://snort.org/
      It's probably overkill for my immediate needs, but seems like the 
tool to
      learn, so I'll go that way.

   fwlogger

      A suite of Unix-like tools for MS-Windows for doing this sort of 
stuff.  The
      best reference I could find was

              http://www.clavister.com/support/kb/10039/

      I failed to specify that I was looking for Unix tools, but at 
least one person
      mailed me off list asking about MS-Windows tools.

   swatch:  Perl based and OS independent according to

         http://sourceforge.net/projects/swatch/

     I didn't really look at this too much.  It seems like a good tool 
for many log
     monitoring tasks, and not just IDS.

> Also, is there some set of rules that people recommend for being a 
> "good network citizen"?  That is, what should I try to prevent from 
> leaving my network?

I received a recommendation for a default block all, with only opening 
up what is needed.  At some sites, I will do that.   At others, I will 
have to allow and log for a while to get a sense of legitimate 
out-going that I might not know about.  Eg, in addition to the list 
recommended, I know that I'll need ports 53 and 123? (ntp), at least 
from selected hosts.  I suspect that there will be more that I have 
forgotten.

Anyway, thanks all for your help and responses.

-j