RE: Tools for monitoring port scans / connection attmempts?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

www.snort.org

I've just put that up after testing it for a while and I love it! There's also a windows port which is what I'm using. I used IDScenter to set it up. Has an easy gui which saves you the time to do config manually.
There are also different logging options which can also use SQL if you have it running although I haven't got around to doing that yet.

Hope this helps

Stu

• -----Original Message----- From: steve@uk.intasys.com [mailto:steve@uk.intasys.com] Sent: 13 August 2003 19:48 To: incidents@securityfocus.com Subject: Tools for monitoring port scans / connection attmempts?

  I see a lot of people upon this list able to keep records  of increases in port scans over time.

  For example it's common for a post to come through from a  member asking about new scans on port foo - and a reply coming  back saying "yes seen xxx of those since the 1st of xxx".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

  Can I ask what software are you using to record these logs?

  I know that some firewall systems, like ipchains, or iptables  will allow logs to be generated to syslog. However these are  not terribly interesting to read - and they are hard to keep  track of.

  I'm using a homebrewed system where I have a perl script  capturing packets dumping source ip+port and destination ip+port  to a database. This way I can produce pretty graphs showing  scans of particular ports over time.

  (I'd be happy to release it if theres any interest).

Steve
- --

• ----------------------------------------------------------------------
• -----
• ----------------------------------------------------------------------
• ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPzrgUZMRMj30dWmZAQLSWRAAgOCexsQHY8Q7Rf4nrH9QeQwrPKuPo3Kh rTn9mxXCJ4oMCXbBa1f20t8FeZPNkTNzztufAyjLG3RzKOL39T9gecAUmDEHwDRD mgWTpIhYD/O4+YI2WzUquBZZD3DUnIOsg/rMcNuhQ5v4B4IRFGVfQ7hQsVb1w4Nv MMtR6LiSVvqjPZNRpIb34LvRgukJUHbNlXAg/aHzu7QTmfjlJ9cMUJR8M3h5jp3c Lysxyk7gJOaD9Upaicjuhk17iKv6/FLE97khgqw3C3cqpzhnYKumZsuXwui+KcV9 BMyq/DNIwMYjSFPAY48zgEp9gw7Ct74NW5/zObfgMZryNKg7XqBwbac9BcO9A9ar zMitHxXmzqXAkPV4WVpQQBjw85qrXu69n4ljQqYwuNUY3t35bIcP8HMfMuWxxr0C qRt0xDnshvDLJIfRJK/IHjkkCUYkl1vffEkKNfwKzTnqvaMTnktguPiZo54bEOdE CbEP1PV0mjNRcAO8xqCRU7tNVZo4P34JowvkkbUlCHdt+NSvAgup37TcQ9HtPhib hvS7+Tg2iDxGUb7Zsg0Fywo4akop/6bYkxAnpb176yrQG8j73E02uFA/semLJ7Jh JP+jIgn4kNp/bd56XRoA93ngO244MZb36h3NDbuN6JB9v8LFLmuKCiJZN6Dn+959 z8WpPqiXkDI=
=xpnM
-----END PGP SIGNATURE-----