From: Jan van Hoek (NL) 

>> Anyone got any ideas
>> on what software I could use
>> to monitor and respond to connects
>> on ports 25 and 110?

I suppose that your usual logging won't suffice (=not the right data
fields) to check for such events, and you already thought of that?? Maybe
the firewall logs give some clues. The examples you gave should be
recognizable by specific combinations of service port, source and
destination.

You are not supposed to reveal the brand/type of your firewalls (at least
that is standing policy in the company where I work), but I hope that it
provides for a API interface to access the logfiles online, without having
to wait for the periodic (end of day??) release of the logs.

--------------------------

The other thing that comes to mind is setting up a separate SNORT box to
detect these events. It is an uncommon usage of such a device, and it will
take some re-thinking of what such a box is supposed to do in normal life
(=acting as an IDS). Pro: Necessary expenditure = ZERO. Con: will take some
of your time and some bending backwards to create the necessary scripts.

Please don't ask me for an working example. I'm very rusty on this subject.
A few years ago I volunteered a colleague of mine to take care of our SNORT
box. Problem solved (for me). We both are happy with the situation);-))
--
-- Jan van Hoek (NL)
-- Sun 23 May 2004 21:25 CET

--- BBBS/NT v4.01 Flag-5