hlfs-dev Digest, Vol 898, Issue 1

Daniel Murungi dmurungi at dicts.mak.ac.ug
Tue Apr 1 00:20:28 PDT 2008

> Scanlogd is pretty much useless software. Why bother; it won't protect you. 
> libnids is a network stack emulator; not a replacement for pcap. It just runs in
> parallel with the kernel using a lot of horsepower. It is for specialized use. 
> Pcap just puts your NIC in promiscuous mode, captures packets real fast, and
> makes that data available to other programs for analysis. It does not need to be
> concerned with fragmentation, flags, or anything else. !!BUT remember, a NIC in
> promiscuous mode is a thing of beauty to a hacker. It cannot be secured or
> monitored!! 
> /*
> Snort_inline is probably what you really want to build. It can be queued to
> IPtables and will drop bad traffic, blacklist IP's, report port scans, detect
> virus, whatever. Fragmentation no problem.  pcap not needed. With a free
> subscription to the rules (5000+) they can be updated daily by a cron job with
> oinkmaster. Oh, and yes, it builds easily on hlfs and I use it 24/7/365.
> */ 
> Marty B. 

The reason I wanted Scanlogd was coz I have iptables rules like; 

 $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG 
 --log-level debug --log-prefix "Port Scan"
 $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 

that I would like to get rid of. What I had though of was using scanlogd and 
writing a small script to monitor the scanlogd logfile and send me a message 
when the size of the logfile changes. 

Libnids-1.23 builds without any issues. It is just that when I rebuilt 
scanlogd (with Libnids support instead of pcap) scanlogd complains about 
sharing text segments, that's when I thought of checking libnids for 

Anyway, the solution (snort_inline) you proposed makes better sense and 
that's  what am pursuing right now. Will let u know if I have any issues 
building snort_inline. 

Thanks Marty, for the heads up.

More information about the hlfs-dev mailing list