-
linux logging question
I am running a linux honeypot and am wondering if its possible to send port scans to a specific log file. For example, I might want to log all port scan attempts for port 31337, and send them to the /var/log/portscan log. Would portsentry work well in this situation? Thanks for any suggestions.
Nate
-
linux logging question
I am running a linux honeypot and am wondering if its possible to send port scans to a specific log file. For example, I might want to log all port scan attempts for port 31337, and send them to the /var/log/portscan log. Would portsentry work well in this situation? Thanks for any suggestions.
Nate
-
Hrmm. I don't think I've ever configured something like that. You might want to look at snort's logging as they log per port, depending on setup. ;)
-
Hrmm. I don't think I've ever configured something like that. You might want to look at snort's logging as they log per port, depending on setup. ;)
-
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...
-
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...
-
tcpdump -netti IF port X > /var/log/portscan.log for example......quick dirty, but efficient.
-
tcpdump -netti IF port X > /var/log/portscan.log for example......quick dirty, but efficient.
-
Quote:
Originally posted here by d0ppelg@nger
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...
I do it kind of like this......only different. :)
I have traffic from my PIXes going to /var/log/local5 (which is the logging facility I use) then a Perl script picks through that for traffic I consider "interesting". The script changes depending on what I want to look at. Regardless, it dumps it all into a file named /var/log/traffic. I then check out the traffic logs once a day to see if anything strange is going on. So basically, this has been a very long way to say that d0ppelg@nger is right on with how to do it. :rolleyes:
-
Quote:
Originally posted here by d0ppelg@nger
You could write a script, perl or shell, to parse the logfile each day and output the data for each port to it's own specific file......Good project to learn perl and/or shell programming...
I do it kind of like this......only different. :)
I have traffic from my PIXes going to /var/log/local5 (which is the logging facility I use) then a Perl script picks through that for traffic I consider "interesting". The script changes depending on what I want to look at. Regardless, it dumps it all into a file named /var/log/traffic. I then check out the traffic logs once a day to see if anything strange is going on. So basically, this has been a very long way to say that d0ppelg@nger is right on with how to do it. :rolleyes: