Intrusion Detection Systems, Part IV: Logcheck
logtail -- A custom executable that remembers the last position of a text file. This program is used by
logcheck-- to parse out information from the last time the log was opened, this prevents reviewing old material twice. All log files will be processed with this program and will have a file named #########.offset put in the same directory, where ####### is the name of the log file checked. This file contains the decimal offset information for logtail to work. If you delete it, logtail will parse the file from the beginning again. Logcheck tracks the size and inode of log files to enable it to tell when a log file has been rotated. If the inode of the log changes, or the file size is smaller than the last run, logtail will reset the counter and parse the entire file.
logcheck.hacking -- This file contains keywords that are certifiable attacks on your system. We leave this file sparse, unless I know what a certain pattern of attack looks like (The default keywords are usually generated by Internet Security Scanner attacks, or Sendmail if it is being fed illegal syntax in address lines). Any keyword in a log file that matches here will generate a report with a more obnoxious header to grab your attention faster: eg. ACTIVE SYSTEM ATTACK
logcheck.violations -- This file contains keywords of system events that are usually seen as negative. Words such as denied,, refused,, etc. Positive words such as successes are also put in here. This file is of course not all-inclusive and is heavily biased towards FWTK messages and BSDish messages with TCP wrappers installed. Violations here are reported under the heading Security Violations, in the reports.
logcheck.violations.ignore -- This file contains words that are reverse searched against the logcheck.violations file.
Make and Make Install
This brings us to the last part of the Installation and configuration procedure. su as root and run the following commands in the logcheck directory
trevor@freeos.com:~/logcheck-1.1.1>make linux
trevor@freeos.com:~/logcheck-1.1.1>make install
All the scripts and configuration files are installed to /usr/local/etc. Having installed the binaries and logcheck scripts to the respective directories we have come to the fag end of this article. What remains now is for you to ensure that Logcheck runs at regular intervals. And who does this better than CRON? So make the appropriate entries into your /etc/crontab file.
#15 Minute check (Linux Slackware Systems /var/spool/cron/crontabs/root):
00,15,30,45 * * * * /usr/local/etc/logcheck.sh
- « first
- ‹ previous
- of 6
- next ›
- last »