Re: [cobalt-security] One weird HaQ... have you seen this..

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Jeff,

> > - Put your own sniffer on the same subnet and log all traffic to the box.
>
> That's a bit beyond me at the moment; I have a book I'll look it up in.
> Good idea, though I'm not sure I'm the one who wants to wade through the
> logs <wry grin>.

Give Demarc a look (www.demarc.org). It's a web based frontend to Snort and I 
use it on my own machine. It logs to a MySQL database and depending on how 
good your Snort signatures are you'll get a pretty solid impression of what's 
going on in your subnet. 

Sure, there will be many reports to look after, but after a week or two 
you'll figure out that you don't need most of the rules and you drop 'em out 
- leaving only those items of interest you really want to know about.

Demarc does quite a good job as it also helps to identify which websites and 
servers are running such horrible things as upload.cgi or formail.pl. 
Services which you usually only learn about when your disks are full, or when 
your Sendmail is putting in an extra shift or two. ;o)

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer