Ok. Pf is working fine ( i think, xD ). So better use pf+sec and forget snort. So now is time to find a good sec manual and start play with it,
Thanks. Tang Tse On 5/28/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > On Mon, May 28, 2007 at 10:35:41AM +0200, Tang Tse wrote: > > 2007/5/8, Alberich de megres <[EMAIL PROTECTED]>: > > > On 5/8/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > > > > On Tue, May 08, 2007 at 10:45:36AM +0200, Alberich de megres wrote: > > > > > I'm new on the openbsd world..i came from linux world :P And i > > > > > got a question about logs > > > > > > > > > > In linux i used logwatch, i know that i can use it on openbsd. > > > > > But is there some other option in openbsd world? what about > > > > > snort? what way you use to analyze logs in rout firewall or > > > > > workstations? > > > > > > > > For log analysis, which is different from analyzing bandwidth and > > > > such, there are plenty of systems. I'd urge you to look at > > > > something that reports anything unknown, though, at least if > > > > you're using a log analyzer to point you at things that need > > > > fixing (as opposed to creating statistics, auto-blacklisting in > > > > response to SSH bruteforce attempts, and so on and so forth). > > > > > > > > Personally, I use SEC (sysutils/sec) for general log handling. > > > > It's pretty powerful, not too hard to use, and can be made to work > > > > in blacklist mode (search the web). I add pflogsumm > > > > (mail/pflogsumm) to handle all Postfix logs, mostly because SEC > > > > isn't that good at statistics (though you can get it to execute > > > > external programs...) > > > > > > Can Pfstat make per source ip ( for local lan for example ) > statistics? > > > > > > I heared nice things about SEC,i will take a looks a both. > > > > Retaking this mail thread, > > > > One question about: which you think is best? snort+sec? or pf+sec? > > Snort and pf are network security technologies; the first is an > intrusion detection system and the latter is a packet filter. SEC can be > used as a log watcher. > > Those are different technologies; I think you might be a bit confused. > Snort+SEC is most likely not the best choice (look at anything from BASE > to Prelude for analysing and/or monitoring Snort logs), and I don't know > what output of pf you want to feed to SEC. > > I'd recommend setting up pf first, log watching second, and ignoring > Snort altogether. This is OpenBSD; vulnerabilities are rare, and if they > appear, upgrading the vulnerable system is less work than upgrading the > IDS. And the first actually makes you more secure. > > Joachim > > -- > TFMotD: gem (4) - GEM 10/100/Gigabit Ethernet device
