Inline. > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of > Gene Dellinger > Sent: Wednesday, October 26, 2005 11:14 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: log analysis > > A couple of questions: > Anyone have a recommendation on a good log anlaysis tool for > iptables/netfilter? Yes. It's called Snort. =) > How difficult is it to perform Intrusion Detection using > iptables, any real world stories(good and bad) desired. Next to impossible unless you start writing your own string-based signatures and get the string match or l7 support I keep hearing about. > Thanks > Gene D. > I don't log with netfilter. I use Snort and BASE for NIDS. There are many viable options for NIDS and HIDS (like Tripwire). In my opinion the only purpose of the LOG/ULOG targets are testing rules on live firewalls. The default netfilter logs don't include the packet payload anyway, which can tell you whether the M$ command banner Snort flagged is real or just Bugtraq. Derick Anderson
