[ previous ] [ next ] [ threads ]
 
 From:  Chet Harvey <chet at pittech dot com>
 To:  Jeffrey Goldberg <jeffrey at goldmark dot org>
 Cc:  Monowall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] SUMMARY: [m0n0wall] IDS or log watching utilities
 Date:  Fri, 8 Oct 2004 16:46:11 -0400
try fwlogwatch for quick and dirty. Real ease and slick....

http://fwlogwatch.inside-security.de/

Then learn Snort as you go =)

Chet Harvey
Pitbull Technologies <http://www.pittech.com/> 
Protecting your Digital Assets
703.407.7311


Quoting Jeffrey Goldberg <jeffrey at goldmark dot org>:

> On Oct 6, 2004, at 3:29 PM, Jeffrey Goldberg wrote:
> 
> > I would like to know about what sorts of utilities exist for watching 
> > firewall logs as part of some sort of intrusion detection system.
> >
> > My specific immediate need is rather small [...]
> 
> I received helpful pointers to
> 
>    Snort:  http://snort.org/
>       It's probably overkill for my immediate needs, but seems like the 
> tool to
>       learn, so I'll go that way.
> 
>    fwlogger
> 
>       A suite of Unix-like tools for MS-Windows for doing this sort of 
> stuff.  The
>       best reference I could find was
> 
>               http://www.clavister.com/support/kb/10039/
> 
>       I failed to specify that I was looking for Unix tools, but at 
> least one person
>       mailed me off list asking about MS-Windows tools.
> 
>    swatch:  Perl based and OS independent according to
> 
>          http://sourceforge.net/projects/swatch/
> 
>      I didn't really look at this too much.  It seems like a good tool 
> for many log
>      monitoring tasks, and not just IDS.
> 
> > Also, is there some set of rules that people recommend for being a 
> > "good network citizen"?  That is, what should I try to prevent from 
> > leaving my network?
> 
> I received a recommendation for a default block all, with only opening 
> up what is needed.  At some sites, I will do that.   At others, I will 
> have to allow and log for a while to get a sense of legitimate 
> out-going that I might not know about.  Eg, in addition to the list 
> recommended, I know that I'll need ports 53 and 123? (ntp), at least 
> from selected hosts.  I suspect that there will be more that I have 
> forgotten.
> 
> Anyway, thanks all for your help and responses.
> 
> -j
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>