Logging source port

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
npavlidis
Forum Regular
Forum Regular
Posts: 122
Joined: Sun Jun 04, 2006 10:03 am

Logging source port

Unread post by npavlidis »

Hey guys,

http://blog.rootshell.be/2011/10/17/use ... witterfeed

Take a look at the article above and please comment, should ASL mandate these changes ? I know its something we can all change by hand but should it be something that asl -s -f fixes for us?

Cheers,

Nik
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Logging source port

Unread post by mikeshinn »

Good news, ASL already logs the port when it logs an attack. Just look at a typical WAF alert payload in the A header:

[17/Oct/2011:19:58:17 --0400] YWPLWMCoAfkAAA3WvTEAAAAB 192.168.1.250 42359 192.168.1.249 80

In this example, the source IP address is 192.168.1.250 and the source port is 42359.

So, no need to change your apache configs.
Post Reply