On Tuesday 24 October 2006 13:41, Nic Stevens wrote:
I wrote a script to detect brute force attacks by watching log files.
If you want to try it it is here:
http://www.ducksfeet.com/nic2/secwatch/index.html
This is a PHP script. I'm not sure that running PHP on the same machine as an
Oracle server is the best of all possible plans. There's a rather large
history of problems with PHP, and once it's installed people tend to use it,
as nature takes it's course.
My take is that if you're going to do this via a log watcher* written in an
interpreter, you'd be better off with something closer to a native package.
As per the OP, that would tend more toward Perl, as it's installed on both RH
and SuSE minimal systems. Or, if things are leaning more toward RH, it might
make more sense to go with Python, as a RH environment tends to build those
skills--closer to RH native (GUI-ack!) tools
OTOH, the OP hasn't been abundantly clear on terminology. In the circles I
hang out in, there's been some discussion re: whether dictionary ==
brute-force attacks. Commonly assumed to be equivalent, yes. Validity, at
least somewhat questionable. But that could all be written off to semantics.
I think we need more word from the OP. I'm not certain we'll get it, as so
far, things are looking like, "I are a random Oracle CSSP, cannot adequately
describe my problem, but nonetheless need help."
Does a firewall or sshd logging solution meet the need, or does he require
analysis of patterns (if any) in the accounts attacked and the passwords
submitted? If it's the latter, then my post from a couple of days ago
applies.
*If* the solution is yet another log analyzer, I'd recommend that before
anyone rolls their own, they run off (quick like a bunny) and read Marcus
Ranum's thoughts on how to do this.
Right now, we've no idea of what the OP needs, as he's made exactly one vague
post, five days ago. I truly hope that this doesn't represent the internal
state of the Oracle security group.
--
Greg Metcalfe
