Am Son, 2002-10-20 um 12.35 schrieb Al Bogner:
I thought that there could be a script or whatevver, which analyzes firewall logs from a "general" view.
You might like to take a look at an intrusion detection ystem like snort. http://www.snort.org/ Snort can be installed straight from the SuSE CD. New rules can be downloaded from the snort server but usually need some editing to function with the snort.conf that is shipped with SuSE. There are several tools for analysing snort logfiles to be found on the snort web server. A sample log entry looks like this: ---8<--- [**] [1:884:6] WEB-CGI formmail access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 10/19-20:17:45.581832 67.113.247.186:33326 -> xxx.xxx.xxx.xxx:80 TCP TTL:106 TOS:0x0 ID:29404 IpLen:20 DgmLen:693 DF ***AP*** Seq: 0xC6F88849 Ack: 0xEE772CE8 Win: 0xFFFF TcpLen: 20 [Xref => http://www.securityfocus.com/bid/1187] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172] [Xref => http://www.whitehats.com/info/IDS226 ---8<--- Besides that snort can write the logs to a (external) MySQL or PostgeSQL database server. The version that is shipped on the SuSE CD however lacks database support, so you need to recompile it to use that feature. When logging to a MySQL database you can integrate the MySQL/snort thing into bigbrother, a network monitoring tool. http://www.bb4.com/
I found out, that a lot of scans to my host come from "developing" countries, especially from South America and Asia.
Most of what you see in your logs is simply background noise, especially when you have a dynamically assigned IP. Wolfgang