[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?

To: Gerardo Soto Casados <gsoto@compu-redes.net.mx>
Subject: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
From: Guy Bruneau <bruneau@ottawa.com>
Date: Fri, 21 May 1999 13:47:26 -0400
CC: ids@uow.edu.au
Organization: DND Computer Incident Response Team
References: <3744A301.C241616E@compu-redes.net.mx>
Sender: owner-ids@uow.edu.au

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Gerardo,

One way would be to keep the setup you have right now and have the same
information go to another set of mirror logs such as /usr/local/adm/messages.
Since it is an unusual place, the attacker will normally look only in the
standard Unix log directory structure (what would now be the trap) and the
real logs are save into the other directory untouched. You can add your
personal logs structure in the /etc/syslog.conf


Hope this help.

Guy


Gerardo Soto Casados wrote:

> FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
> IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
> NOTE: You MUST remove this line from reply messages as it will be filtered.
> SPAM: DO NOT send unsolicted mail to this list.
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> ---------------------------------------------------------------------------
>
> Hello to everyone:
>
>     My name is Gerardo Soto.I am the network administrator for web site
> in Mexico.
> My interest in joining this mail list is mostly because  I have been
> under heavy cracker attack lately , and somehow  I have not been able to
> exactly detect where the attacks are coming from. So I am really
> interested in finding a real way to do it.
>   Is there a way to really find out where the attack is coming from ?
> I have a redhat linux box  5.0 version with a 2511 cisco router. I set
> up a firewall but This guy still managed to break in, and as you all can
> imagine , he erased all my logs .
>  Would anyone help me out ?

Follow-Ups:
- Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: Gerardo Soto <gsoto@compu-redes.net.mx>
- Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: CyberPsychotic <mlists@gizmo.kyrnet.kg>
- Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: Lance Spitzner <spitzner@dimension.net>

References:
- IDS: how do you configure your firewall ( router ) to log to a different machine ?
  - From: Gerardo Soto Casados <gsoto@compu-redes.net.mx>

Prev by Date: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Next by Date: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Prev by thread: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Next by thread: Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?
Index(es):
- Date
- Thread