[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: reviewing httpd access log

To: "L. V. Lammert" <lvl@omnitec.net>
Subject: Re: reviewing httpd access log
From: Chris Kuethe <ckuethe@ualberta.ca>
Date: Mon, 2 Aug 2004 18:02:41 -0600 (MDT)
Cc: marius <anarcap@gmail.com>, J Moore <jaymo@cullmail.com>,misc@openbsd.org
References: <20040801174234.GA76@kingcull.cullmail.com> <22318ee504080110473149b27a@mail.gmail.com> <Pine.BSO.4.53.0408011915580.6259@Mail.omnitec.net>

On Sun, 1 Aug 2004, L. V. Lammert wrote:

> Unfortunately, snort does not communicate with pf. If anyone HAS done this
> sort of setup, please let everyone know.

I have a honeynet somewhere that parses pflogs and ... does stuff.
This stuff can include thudding an address into a table of things
to be blocked and writing a log event. Actually, this particular
honeynet does cisco ACLs, but there's nothing cisco specific about
the architecture.

I have modules that parse snort, httpd, pf and sys logs. they report
to a central collector which decides what to do about the infraction.
One of these days I'll pretty it all up for public consumption.

CK

-- 
Chris Kuethe, GCIA CISSP: Secure Systems Specialist - U of A CNS
       office: 157 General Services Bldg.    +1.780.492.8135
               chris.kuethe@[pyxis.cns.]ualberta.ca

      GDB has a 'break' feature; why doesn't it have 'fix' too?

References:
- reviewing httpd access log
  - From: J Moore <jaymo@cullmail.com>
- Re: reviewing httpd access log
  - From: marius <anarcap@gmail.com>
- Re: reviewing httpd access log
  - From: "L. V. Lammert" <lvl@omnitec.net>

Prev by Date: Re: reviewing httpd access log
Next by Date: Re: reviewing httpd access log
Prev by thread: Re: reviewing httpd access log
Next by thread: Re: reviewing httpd access log
Index(es):
- Date
- Thread