hlfs-dev Digest, Vol 898, Issue 1
dmurungi at dicts.mak.ac.ug
Tue Apr 1 00:20:28 PDT 2008
> Scanlogd is pretty much useless software. Why bother; it won't protect you.
> libnids is a network stack emulator; not a replacement for pcap. It just runs in
> parallel with the kernel using a lot of horsepower. It is for specialized use.
> Pcap just puts your NIC in promiscuous mode, captures packets real fast, and
> makes that data available to other programs for analysis. It does not need to be
> concerned with fragmentation, flags, or anything else. !!BUT remember, a NIC in
> promiscuous mode is a thing of beauty to a hacker. It cannot be secured or
> Snort_inline is probably what you really want to build. It can be queued to
> IPtables and will drop bad traffic, blacklist IP's, report port scans, detect
> virus, whatever. Fragmentation no problem. pcap not needed. With a free
> subscription to the rules (5000+) they can be updated daily by a cron job with
> oinkmaster. Oh, and yes, it builds easily on hlfs and I use it 24/7/365.
> Marty B.
The reason I wanted Scanlogd was coz I have iptables rules like;
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
--log-level debug --log-prefix "Port Scan"
$IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
that I would like to get rid of. What I had though of was using scanlogd and
writing a small script to monitor the scanlogd logfile and send me a message
when the size of the logfile changes.
Libnids-1.23 builds without any issues. It is just that when I rebuilt
scanlogd (with Libnids support instead of pcap) scanlogd complains about
sharing text segments, that's when I thought of checking libnids for
Anyway, the solution (snort_inline) you proposed makes better sense and
that's what am pursuing right now. Will let u know if I have any issues
Thanks Marty, for the heads up.
More information about the hlfs-dev