Re: IDS: how do you configure your firewall ( router ) to log to a different machine ?

[Robert Graham <robert_david_graham@yahoo.com>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

Gerardo Soto Casados wrote:
> My interest in joining this mail list is mostly because  I have been
> under heavy cracker attack lately , and somehow  I have not been able
to
> exactly detect where the attacks are coming from. So I am really
> interested in finding a real way to do it.
>   Is there a way to really find out where the attack is coming from ?
> I have a redhat linux box  5.0 version with a 2511 cisco router. I
set
> up a firewall but This guy still managed to break in, and as you all
can
> imagine , he erased all my logs .
>  Would anyone help me out ?

The most foolproof mechanism is to put a sniffer on the wire that taps
into the network traffic. Unfortunately, it is also the solution that
requires the most expertise. 

The advantage of this is that it is an independent machine that can't
be broken into (because it only reads network traffic, but doesn't
communicate on the net).

Rob.


_____________________________________________________________
Do You Yahoo!?
Free instant messaging and more at http://messenger.yahoo.com