I have Bind9 and the snort 1.9.1 running on my Linux 7.3 machine. But these 2 programs running are filling up my /var/log/messages and my TRIPWIRE reports logs. here is an example of what im talking about:I get these messages in mmy TRIPWIRE reports and /var/log/messages file(its all the websites people on my network have visited soo you can imagine how much traffic i get into both logs tripwire reports and /var/log/messages)
### I start named as root(it wont start with a user? like this---/usr/sbin/named -u named #### and here is my named.conf file
is at the bottom:
Mar 20 16:48:14 11112114y540l named[1288]: Mar 20 16:48:14.009queries: info:
client 192.168.0.69#4972: query: www.yahoo.com IN A
Mar 20 16:48:14 1112114y540l named[1288]: Mar 20 16:48:14.645queries: info:
client 192.168.0.69#4974: query: us.i1.yimg.com IN A
Mar 20 16:48:15 11112114y540l named[1288]: Mar 20 16:48:15.974queries: info:
client 192.168.0.69#4979: query: srd.yahoo.com IN A
Mar 20 16:48:16 11112114y540l named[1288]: Mar 20 16:48:16.077queries: info:
###############################################################3
And then i get these reports in my TRIPWIRE everyday reports too but i think they are suppose to be there???
"/var/log/snort/206.204.10.200" "/var/log/snort/206.204.10.200/ICMP_ECHO" "/var/log/snort/206.204.10.200/TCP:4325-1080" "/var/log/snort/206.204.10.200/TCP:5097-1080" "/var/log/snort/66.134.127.35" "/var/log/snort/66.134.127.35/UDP:4866-1434" "/var/log/snort/212.244.158.151" "/var/log/snort/212.244.158.151/UDP:1706-1434" "/var/log/snort/65.54.248.22" "/var/log/snort/65.54.248.22/ICMP_UNRCH_PACKET_FILT" "/var/log/snort/217.57.54.226" "/var/log/snort/217.57.54.226/UDP:2133-1434" "/var/log/snort/4.60.127.39" "/var/log/snort/4.60.127.39/ICMP_ECHO"
How can i cut down on all this logging!!!
// This is a configuration file for named (from BIND 9.0 or later).
// It would normally be installed as /etc/named.conf.
//
// Changed to match secure example from LASG 5/17/00
// Changed to match Linux Journal example 9/17/00
// Added new "view' sections to stop fingerprinting of Bind 9.x per
// Bugtraq 1/31/00
// Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11
// added use-id-pool and more comments based on above chapter options {
// Directory where bind should create files if
// not explicitly stated
directory "/var/named"; // whom do we allow to do zone tranfers
allow-transfer { 192.168.1.0/24; }; // new in Bind 9.x to allow RFC1886 -> RFC2874 conversion
// to support IPv6
// allow-v6-synthesis { 192.168.1.10; }; // tell Bind to check the names in zone files
// since it no longer does this by default
// (currently unimplemented)
check-names master warn; // sets the size of something or other to 20Mb ;)
datasize 20M; // Bind 9.x doesn't recognize this yet :(
// deallocate-on-exit no; // where should Bind put a dump of its cache
// if told to dump it
dump-file "named_dump.db"; // how often should bind check for new
// interfaces toi listen on. we turn
// this off by setting it to 0
interface-interval 0; // specify what interfaces/ips to listen on
// as the default is all of them
listen-on { 192.168.1.10; 127.0.0.1; }; // define a mximum size of cached records
// new in Bind 9.x
max-cache-size 20M; // where to right stats of memory usage
// Bind 9.x doesn't recognize this yet :(
memstatistics-file "named.memstats"; // where to put out pid file
// absolute path since we don't want
// it in /var/named
pid-file "/var/run/named.pid"; // force Bind to use port 53 for its
// outbound queries to other DNS
// servers (Bind 9 uses high ports
// by default). Makes firewalling easier
query-source address * port 53; // where to dump Bind server stats
statistics-file "named.stats"; // force Bind to be "more" random in assiging
// message ids
use-id-pool yes; // If the chaos view below doesn't work
// for some reason, still give out a bogus
// answer for Bind version requests
version "This is not the port you're looking for."; // keep stats on a zone basis
zone-statistics yes;
}; controls {
// this allows rndc to be used from the localhost
// to talk to bind on the loopback interface
// using the key defined as 'rndc-key'
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
}; // the rest of the key configuration is in
// /etc/rndc.conf and the key itself is in
// /etc/rndc.key
key "rndc-key" {
// how was key encoded
algorithm hmac-md5;
// what is the pass-phrase for the key
secret "aHVz" ;
}; logging {
channel named_info {
// log to syslog instead of a file
syslog;
// include the category of the event in the log
print-category yes;
// include the severity of the event in the log
print-severity yes;
// include the time of the event in the log
print-time yes;
}; // Processing of client requests
category client { named_info; }; // named.conf parsing and processing
category config { named_info; }; // Messages relating to internal memory structures
category database { named_info; }; // This is the default for any category not specifically defined
category default { named_info; }; // The catch-all. Anything without a category of its own
category general { named_info; }; // Uncomment if you dont want to know about lame server.
// Leave commented and it defaults to the
// value of default above
// category lame-servers { null; }; // The NOTIFY protocol
category notify { named_info; }; // Network operations
category network { named_info; }; // DNS resolution like recursive lookups, etc..
category resolver { named_info; }; // Approval and denial of requests
category security { named_info; }; // Dynamic updates
category update { named_info; }; // Queries. Duh.
category queries { named_info; }; // Zone transfers received
category xfer-in { named_info; }; // Zone transfers sent
category xfer-out { named_info; };
}; // this is where we define different versions
// of our zones based on where the client is
// coming from.
// the first view that matches a client is
// the one that gets used, so order can be
// important
view "external-chaos" chaos {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
recursion no;
zone "." {
type hint;
// this causes a null response to queries
// about the Bind version
file "/dev/null";
};
}; view "external" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "." {
type hint;
file "root.hints";
};
}; view "external-127" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
allow-update {
none;
};
};
}; view "external-192" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "1.168.192.in-addr.arpa" {
type master;
file "pz/192.168.1";
allow-update {
none;
};
};
};_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
