[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sentry
Subject:    Re: [Abacus] Summary Logcheck - option
From:       Nate Campi <nate () campin ! net>
Date:       2000-09-25 18:33:01
[Download RAW message or body]

On Mon, 25 Sep 2000, Robert Wagner wrote:

> 
> Does anyone know if there is a way to configure logcheck to show summary
> information?  I am afraid new attacks and important information is being
> hidden between the clutter.
> 
> My current logcheck sends me information like:
> _______________________________
> Sep 25 09:01:40 mail portsentry[733]: attackalert: UDP scan from host:
> 192.168.0.5/192.168.0.5 to UDP port: 68
> Sep 25 09:01:40 mail portsentry[733]: attackalert: Host:
> 192.168.0.5/192.168.0.5 is already blocked Ignoring
> Sep 25 09:03:01 mail portsentry[733]: attackalert: UDP scan from host:
> 192.168.0.5/192.168.0.5 to UDP port: 68
> __________________________
> Over and Over again from a few IP address (port 68 - DHCP requests).  Since
> I am on DSL someone on our DSLAM has a misconfigured router and is letting
> DHCP request broadcast to the DSLAM.  Any important information I want to
> see is lost in pages of port 68 from a couple of IP addresses.  What I would
> like to see is a summary at the beginning:
> _____________________
> You had 42 new: Sep 25 09:27:09 mail portsentry[733]: attackalert: Host:
> dsl-b41.ia.mwaccess.net/209.64.152.41 
> Sep 25 09:27:09 mail portsentry[733]: attackalert: UDP scan from host:
> dsl-b41.ia.mwaccess.net/209.64.152.41 to UDP port: 68
> 
> You had 117 already know: Sep 25 09:01:40 mail portsentry[733]: attackalert:
> UDP scan from host: 192.168.0.5/192.168.0.5 to UDP port: 68
> Sep 25 09:01:40 mail portsentry[733]: attackalert: Host:
> 192.168.0.5/192.168.0.5 is already blocked Ignoring
> 
> You had 12 already known: Sep 25 09:01:40 mail portsentry[733]: attackalert:
> UDP scan from host: 192.168.0.6/192.168.0.6 to UDP port: 68
> Sep 25 09:01:40 mail portsentry[733]: attackalert: Host:
> 192.168.0.6/192.168.0.6 is already blocked Ignoring
> ___________________________
> 
> _______________________________________________
> 

You might be interested in some changes I made to logcheck. I call a perl
script which sorts out messages and only reports once on each message,
with the times it was reported prepended to the message.

Example:
Sep 24 20:22:39, 20:22:45, 21:49:14, 21:49:19 zeus 
postfix/smtpd: reject: CONNECT from unknown[195.205.242.18]: 554 Service
unavailable; [195.205.242.18] blocked using relays.mail-abuse.org

You'll see from the above that the message was reported 4 time, but was
only reported once in the logcheck output. If you're interested in my
mods, visit www.campin.net. You can read up on it and download my version
from there.

Feel free to email me off list with any questions.

HTH,
--
Nate Campi
"If we knew what we were doing, it wouldn't be called research." - Einstein

[prev in list] [next in list] [prev in thread] [next in thread]