Just being a annoying tech!

**Cuddles** · 10-16-2005, 05:21 PM

Originally Posted by jjmac

So ... the logwatch facility has been extracting that info and presenting it via the local mail facility.

Code:

logwatch extract ...

Dropped 72 packets on interface ppp0
   From 24.207.157.140 - 2 packets
      To 203.58.186.120 - 2 packets
         Service: 15118 (tcp/15118) (FW_LASTDROP:,ppp0,none) - 2 packets
   From 61.155.9.171 - 1 packet
      To 203.58.186.120 - 1 packet
         Service: ssh (tcp/22) (FW_LASTDROP:,ppp0,none) - 1 packet
   From 64.62.190.36 - 36 packets
      To 203.58.186.120 - 36 packets
         Service: telnet (tcp/23) (FW_LASTDROP:,ppp0,none) - 8 packets
         Service: www (tcp/80) (FW_LASTDROP:,ppp0,none) - 8 packets
         Service: socks (tcp/1080) (FW_LASTDROP:,ppp0,none) - 8 packets
         Service: 3128 (tcp/3128) (FW_LASTDROP:,ppp0,none) - 4 packets
         Service: 6588 (tcp/6588) (FW_LASTDROP:,ppp0,none) - 4 packets
         Service: webcache (tcp/8080) (FW_LASTDROP:,ppp0,none) - 4 packets
   From 83.245.15.238 - 3 packets

etc

As you can see i label my DROP target as "FW_LASTDROP".

I'll have to look into my "snort" setup and possible configure some alet for those.

jm

I have snort installed, and it sends output to mail, not very interesting output though...

Upon seeing your output for logwatch, I installed it, but, I dont get output mailed on the ppp0, or even eth0 stuff - how did you get logwatch to get you the output above ?

I'd like to have a monitoring program working, like what your output shows above, but, I guess I need to create the filters / services code to get what you are getting ( I guess ) ?

Ms. Cuddles