On Tue, 6 Mar 2001, Bret Hughes wrote:
> Athough haveing written that I get irritated enough with the
> logcheck stuff telling me about the hits on the three firewalls I
> manage, I can't imagine how pissed I would get if each probe generated a
> seperate email. I have recently seen a big spike in the number of port
> 111 probes as well as the usual ftp stuff.
I don't do either of these, but you can do two things to reduce your
logcheck annoyances.
1. have syslogd log to a central machine running logcheck so you only get
1 email, not 3. I think I'm going to do this soon though.
2. put in specific rules to ignore the probes to 111 (or any others you
get too frequently to care).
I do like the idea of some statistical analysis of the scans though, like
how many times each unique port number was triggered, top offending IPs
etc, but this could be gleaned periodically from the logfiles directly.
charles
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
