Hi,
I just want to beware of anything unusual instantly, preferably by
email. This is a single or two user laptop. Here are the few I gave a
shot:
Logsentry is very simple and easy to use with its plain rule files and
check script. It just works out of the box with almost zero
configuration. I only had to add couple of rules and modify
logcheck.sh according to my syslog setup. But it seems to be
unmaintained and more importantly it is not real time. There is an
hourly cron job shipped with the package but running it more frequent
sounds like overdoing it.
I also checked logsurfer which comes with a init script, however, no
working configuration file and sort of confusing examples.
Aide, as an intrusion detection tool, has also very simple
configuration but it does not report in real time either. You have to
place the example cron job to cron directory of your choice manually.
Running it hourly loads the system every hour for couple of minutes.
Running it daily mean knowing about the intrusion only the day after.
I don't see the point of that, it may be too late for everything.
I read somewhere that snort was the most used one. At first glance
there are too many configuration variables. It just seems overmuch for
what I want on my system.
What I want is something like tail using inotify:
tail -f / | mail $ME :)
Seriously, are there [or is there a single] tool/s for {system,
network, log} monitoring and intrusion detection, using inotify to
watch and email the instant changes on a system? What do you use and
recommend for a home pc?
eix -cSz ntrusion and log monitor show what is available in portage
but asking to share experience is a lot better than emerge-try-unmerge
cycle. Hope you agree.
--
Fatih
