I am running a linux honeypot and am wondering if its possible to send port scans to a specific log file. For example, I might want to log all port scan attempts for port 31337, and send them to the /var/log/portscan log. Would portsentry work well in this situation? Thanks for any suggestions.

Nate

I am running a linux honeypot and am wondering if its possible to send port scans to a specific log file. For example, I might want to log all port scan attempts for port 31337, and send them to the /var/log/portscan log. Would portsentry work well in this situation? Thanks for any suggestions.

Nate

Hrmm. I don't think I've ever configured something like that. You might want to look at snort's logging as they log per port, depending on setup. ;)

Hrmm. I don't think I've ever configured something like that. You might want to look at snort's logging as they log per port, depending on setup. ;)

You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...

You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...

tcpdump -netti IF port X > /var/log/portscan.log for example......quick dirty, but efficient.

tcpdump -netti IF port X > /var/log/portscan.log for example......quick dirty, but efficient.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by d0ppelg@nger
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...

I do it kind of like this......only different. :)

I have traffic from my PIXes going to /var/log/local5 (which is the logging facility I use) then a Perl script picks through that for traffic I consider "interesting". The script changes depending on what I want to look at. Regardless, it dumps it all into a file named /var/log/traffic. I then check out the traffic logs once a day to see if anything strange is going on. So basically, this has been a very long way to say that d0ppelg@nger is right on with how to do it. :rolleyes:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by d0ppelg@nger
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...

I do it kind of like this......only different. :)

I have traffic from my PIXes going to /var/log/local5 (which is the logging facility I use) then a Perl script picks through that for traffic I consider "interesting". The script changes depending on what I want to look at. Regardless, it dumps it all into a file named /var/log/traffic. I then check out the traffic logs once a day to see if anything strange is going on. So basically, this has been a very long way to say that d0ppelg@nger is right on with how to do it. :rolleyes:

You may also want to look into Swatch (http://swatch.sourceforge.net/). It's a utility to help manage and watch log files. SANS has an article "Using Swatch to Utilize Your Logs" (http://www.sans.org/rr/sysadmin/swatch.php) which may help you determine if Swatch will work for you.

Cheers:

You may also want to look into Swatch (http://swatch.sourceforge.net/). It's a utility to help manage and watch log files. SANS has an article "Using Swatch to Utilize Your Logs" (http://www.sans.org/rr/sysadmin/swatch.php) which may help you determine if Swatch will work for you.

Cheers: