/ Forside / Teknologi / Operativsystemer / Linux / Nyhedsindlæg
Login
Glemt dit kodeord?
Brugernavn

Kodeord


Reklame
Top 10 brugere
Linux
#NavnPoint
o.v.n. 11177
peque 7911
dk 4814
e.c 2359
Uranus 1334
emesen 1334
stone47 1307
linuxrules 1214
Octon 1100
10  BjarneD 875
STOR security log!
Fra : Lasse Rønlev


Dato : 17-12-03 23:37

Hej NG!

Jeg har et problem med min security log, og deraf er der kommet et problem
med server belastningen:

Jeg har en clarkconnect installation på min server. Serveren står mellem
brugercomputere og router/kabelmodem Cisco 677 fra Tiscali. Altså fungerer
serveren som router til Internettet. Men min security log bliver hurtigt
meget stor, og deraf følger, at den hver nat kl. 05.00 bliver meget
belastet, når den kører cron jobbet /usr/local/snortsnarf/snortsnarf.sh

Internt netværk: 192.168.0.X
Eksternt netværk: 192.168.1.X (altså mellem Cisco og server)
Server IP: 192.168.1.2
Cisco IP: 192.168.1.1

Her er et udrag:
Nov 30 04:42:54 server snort: [1:504:3] MISC source port 53 to <1024
[Classification: Potentially Bad Traffic] [Priority: 2]: {TCP}
62.233.207.99:53 -> 192.168.1.2:139
Nov 30 04:42:56 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:43:56 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:44:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:45:09 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.79.39.149 ->
192.168.1.2
Nov 30 04:45:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:46:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:47:16 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.79.98.13 ->
192.168.1.2
Nov 30 04:47:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:48:08 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 62.80.34.166 ->
192.168.1.2
Nov 30 04:48:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:49:37 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 213.237.104.109 ->
192.168.1.2
Nov 30 04:49:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:50:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:51:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:52:47 server snort: [1:483:2] ICMP PING CyberKit 2.2 Windows
[Classification: Misc activity] [Priority: 3]: {ICMP} 213.237.104.85 ->
192.168.1.2
Nov 30 04:52:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:53:57 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1
Nov 30 04:54:59 server snort: [1:469:1] ICMP PING NMAP [Classification:
Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.1.2 -> 192.168.1.1

Hvad er det lige for noget? Hvad skyldes det? Nogen der har en løsning på
problemet?
Se eventuelt min serverbelastning her:
https://montanagade.dk:81/stats.php?stat=load

Håber nogen kan hjælpe!

Mvh
Lasse
lasse(a)montanagade.dk



 
 
Alex Holst (18-12-2003)
Kommentar
Fra : Alex Holst


Dato : 18-12-03 11:26

"Lasse Rønlev" <6x122859@tiscali.dk> wrote:
> Jeg har et problem med min security log, og deraf er der kommet et problem
> med server belastningen:

Løsningen er at lade være med at køre Snort indtil du har resourcerne
til at behandle dens output.

--
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow. http://a.mongers.org

Sune Gellert (18-12-2003)
Kommentar
Fra : Sune Gellert


Dato : 18-12-03 15:24


"Lasse Rønlev" <6x122859@tiscali.dk> skrev i en meddelelse
news:fU4Eb.61788$jf4.3551624@news000.worldonline.dk...
> Hej NG!
>
> Jeg har et problem med min security log, og deraf er der kommet et problem
> med server belastningen:
>
>
Prøv med snort i kombination med mysql og acid. Er mere effektivt end
snortsnarf, og meget bedre interface, hvis man vil grave lidt i sine
opsamlede data. En rask tur på google burde give noget inspiration


/Sune



Søg
Reklame
Statistik
Spørgsmål : 177552
Tips : 31968
Nyheder : 719565
Indlæg : 6408849
Brugere : 218887

Månedens bedste
Årets bedste
Sidste års bedste