Whois is all you need to know who was doing what. I recommend that you download and install snorth and its signatures, let it run for a while, and then keep checking what every event that shows up is. Snort (as well as others) will vividly describe what it sees and why it thinks its bad. Just remember, IDS boxes are just like AV software, they only detect 'known attack signatures'. They could, depending on how the filter is written, miss an attack that has been modified, or varients of the same attack. In other words, you will not be able to see everything that has been going on, but usually enough to know someone was up to no good...
June 25th, 2002, 07:16 PM
Well, if you set snort to log to syslog(for *nix), you can use swatch or logcheck to monitor the log and mail you under certain conditions.
It is possible to run snort on win32 platforms, binaries are available here
Maybe there is a utility available for windows which could take care of the notification, I dont know.
Also, you could set snort to log to mysql, and find a script or something which will periodically check for new additions to the database, and mail those to you.
Also, there is something called ACID which is an analysis console for snort, basically a webpage, I suppose you could use that remotely, although Im not sure you would really want it set up that way as now your IDS box would have to make services available from the internet and that could lead to a compromised IDS box.
demarc was at one time (and I think still is) free for non-commercial use (same with acid). They are both basically http front ends and if you take the time to properly secure the server with access-lists/authentication/patches and restrict access at your firewall, it should be 'ok' to use.
June 25th, 2002, 08:27 PM
Sorry for the short reply..
I found one tool for Windows/Snort in my mail yesterday and it may be worth checking out ?
IDScenter : Snort IDScenter is a GUI for Snort IDS on Windows platforms.
Remember that this is a beta and not a stable release, I would not recomend to put it in production without some thorough test first :).
June 26th, 2002, 11:22 AM
Ta, so far so good, Ive got that snort control center and i use it for my pc at home it is very handy and btw Thanks to everybody for their help if anything else comes up please dont hesitate to post.