* Jason P. Stanford wrote on Tue, Aug 01, 2000 at 11:35 -0700:
especially due to web traffic to the machine (a lot of ALLOW's). Can I change a config to prevent firewall from making duplicate entries to /var/log/messages?
That's not possible (at least with ipchains). You should check your configuration and enviroment, it's bad if you get lot's of prohibited connection attempts. You have to reduce it, otherwise your logging makes no sense, since you will never be able to read the logs! If you have "expected" denies, insert a rule that reject/denies those packets without logging.
Also, scanlogd does not seem to log any scannings except for those from localhost (127.0.0.1).
Here it works...
I've been playing with it, and running nmap on another machine on my local subnet, but these scans (not in any "stealth" mode) never
scanlogd should detect stealth mode scans.
get logged and scanlogd is most definitely running. I don't see any config files for scanlogd,
There isn't a config file. Some tunables you can modify at compile-time. scanlogd uses some #defines in some include files (look at the source for docu :)). If you need are more complex and advanced IDS tool, you may take a look to snort (www.snort.org), which is highly configurable. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.