[Gllug] iplog

Darren Evans devans at presscentre.net
Thu Aug 16 14:04:26 UTC 2001 

Does anyone use iplog?  Looks like a good program for
improving knowledge of scans, however i can't get it to print
output to screen or disk when detecting any scans.  This is
on Redhat 7.1. and iplog-2.2.3-fr1.

I'm using nmap(locally) to see if it detects the scan
and writes the log.

Yes, i've tried iplog -l /var/log/iplog

It writes the "starting up" message in /var/log/iplog

I'm wondering if it's my config or some issue?

Is there a better way to setup the userid so it can write
to /var/run?  I wonder if i should make this owned by daemon,
any thoughts?

This is my /etc/iplog.conf.


[darren at host darren]$ sudo cat /etc/iplog.conf
/*
** iplog configuration file.
**
** See iplog.conf(5) for details on syntax and a full description
** of available options.
*/

set tcp true
set log_dest true
set syn_scan true
set fin_scan true
set udp_scan true
set portscan true
set xmas_scan true
set null_scan true
set get_ident true
set bogus true

# Run as user "nobody."
user nobody

# Run with group "nobody."
group nobody

# Log to /var/log/iplog
logfile /var/log/iplog

# Log the IP address as well as the hostname of packets.
set log_ip true

# Do not log the destination of packets.
set log_dest false

# Ignore DNS traffic from nameservers in /etc/resolv.conf.
set ignore_dns

# Listen on eth0
interface eth0

# Example log statement.
#log tcp dport 1045:1055 sport ftp-data

# Ignore ftp-data connections from to ports 1024 and above.
#ignore tcp dport 1024: sport 20
 
# Ignore WWW connections, SMB and ICQ.
#ignore tcp dport 80
#ignore tcp dport 137
#ignore tcp dport 138
#ignore tcp dport 139
#ignore udp dport 137
#ignore udp dport 138
#ignore udp dport 139
#ignore udp dport 2049
#ignore udp sport 4000
#ignore udp dport 4000
 
# Ignore ICMP unreach.
#ignore icmp type unreach
 
# Ignore all ICMP except ICMP echo packets.
ignore icmp type !echo
 
# Ignore UDP traffic from the 127.1.2 network
#ignore udp from 127.1.2/24
 
# or
#ignore udp from 127.1.2/255.255.255.0


Thanks,
Darren

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list