[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Nmap logging dilema

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] Nmap logging dilema
From: "Meir Michanie" <meirgotroot@xxxxxxxxx>
Date: Fri, 21 Jul 2006 02:59:32 +0300

I have a dilema.
I just added a patch that would help me to get the FQDN of the host scanned. Therefore if I have a server farm that I want to check, I can get a log stating pc name instead of IP . (try using ossec with +100 hosts.

The problem is that if the target (victim of the scan) is wise it could change its PTR and then I will never match with the history log like FTS.

It may be an scenario where you do not want to match IP+PTR. I n that scenario my patch would be a problem.

One solution it comes to my mind is logging the scan twice, one with PTR and the other without. You would get a double report when a port change, but you get to keep history for the IP, while getting also a change of PTR alert.

Another issue would be when you do not have temporarly resolving. then you would get a third record.

RFC.

TIA

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Prev by Date: [ossec-list] Re: ossec v0.9 BETA available.
Next by Date: [ossec-list] Re: Agent (apparently) not communicating with Server
Previous by thread: [ossec-list] Re: Agent (apparently) not communicating with Server
Next by thread: [ossec-list] Windows Agent - Logging
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.