If it''s any help, here''s a sed script that is reasonably good at pulling out suspicious-looking items generated by various daemons. Fix appropriately... _H* ========= # this should match a buncha different stuff / [Pp]ermi/b ff / PERMI/b ff / [Rr]efuse/b ff / REFUSE/b ff / [Dd]en[yi]/b ff / DEN[YI]/b ff /[Rr]eject/b ff /REJECT/b ff /[Bb]ogus/b ff /[Pp]assw/b ff /PASSW/b ff /[Ff]ail[eu]/b ff /FAIL[EU]/b ff /[Mm]ismatc/b ff / != /b ff /[Aa]ttack/b ff /ATTACK/b ff /[Aa]ttempt/b ff /ATTEMPT/b ff /[Ss]poof/b ff /SPOOF/b ff / twist /b ff # nuke anything unmatched so far d # exclude section: : ff /comsat.*localhost/d # ppp turds / pppd[:[]/d # named loses while primaries are down / named.* timed out/d [mod: If I read this correctly it prints recognized stuff, and generally discards anything that doesn''t match. I disapprove of this technique: There might be a message that looks innocent because it doesn''t have any of the above trigger words in it, but is actually a breakin report. You should start out with an empty script, and match/delete the annonying messages that keep on clobbering the output. -- REW ]
> > [mod: If I read this correctly it prints recognized stuff, and > generally discards anything that doesn''t match. I disapprove > of this technique: There might be a message that looks innocent > because it doesn''t have any of the above trigger words in it, > but is actually a breakin report. You should start out with > an empty script, and match/delete the annonying messages that > keep on clobbering the output. -- REW ] > >I have a program called logcheck that does just this. It''s a clone of a log checker found on TIS Gauntlet and works very well with systems with TCP wrappers and/or the TIS Firewall Toolkit. It works very well on standard Linux (RedHat, Slackware), FreeBSD(2.x), BSDI(1.1, 2,X) and other similiar UNIX BSD OS types. You can find this program at http://www.psionic.com/logcheck.html The current version is 1.01, there will be an update to 1.1 in a few weeks. This site is on a poor 28.8 connection so please be patient if it is slow. It is probably mirrored at various archives (COAST), if anyone else wishes to mirror please feel free. Thanks, -- Craig
*Hobbit* <hobbit@avian.org> wrote: : If it''s any help, here''s a sed script that is reasonably good at pulling out : suspicious-looking items generated by various daemons. Fix appropriately... Before people start hacking out their own custom versions of SED, please try swatch v2.1 (not 2.2). It does this already and has code to automatically do something when a trigger is activated, see below for SAMPLE config. (portcullis is our router) /portcullis.*login failed/ mail=admin /portcullis.*restarted/ exec="/usr/local/bin/tpage - `date +%m%d%H%M`:$0" I''ve been basically going through stuff and looking for error messages that would symbolize something strange. However, there is a huge number of error messages that people have decided mean a security problem.... :) -- -Matt (panzer@dhp.com) -- DataHaven Project - http://www.dhp.com/ "That which can never be enforced should not be prohibited." [mod: and Craig H. Rowland (crowland@psionic.com) adds: -- REW] I have a program called logcheck that does just this. It''s a clone of a log checker found on TIS Gauntlet and works very well with systems with TCP wrappers and/or the TIS Firewall Toolkit. It works very well on standard Linux (RedHat, Slackware), FreeBSD(2.x), BSDI(1.1, 2,X) and other similiar UNIX BSD OS types. You can find this program at http://www.psionic.com/logcheck.html The current version is 1.01, there will be an update to 1.1 in a few weeks. This site is on a poor 28.8 connection so please be patient if it is slow. It is probably mirrored at various archives (COAST), if anyone else wishes to mirror please feel free. Thanks, -- Craig
On Thu, 16 Jan 1997, Christopher Hicks wrote:> What''s wrong with swatch 2.2?2.2 changed how it handled signals, in such a way as to not work on linux. -Matt (panzer@dhp.com) -- DataHaven Project - http://www.dhp.com/ "That which can never be enforced should not be prohibited."