logs help

[Dj_Lord]

Hello,

First of all, I'm newbie How could I chech linux server logs if there are any tracks of virus/trojan on LAN computers? I think, I should look for huge traffic usage, but where?

[anomie]

What services are you hosting on the debian box?

Is there a logwatch package available for debian? I've found it pretty useful on CentOS. It intelligently parses various log files and generates reports for your review.

[Dj_Lord]

Apache, MySQL, SMTP, DHCP (LAN of 15 computers).
I am not sure about logwatch, I gonna check that next week.

[anomie]

To get some clarification on your question (after re-reading), are you trying to watch for virus/trojan network activity on a network of Windows clients? Or are you wanting to watch your Linux servers for signs of break-in attempts and compromises?

[Dj_Lord]

The first one, I'm trying to watch for virus/trojan network activity on a network of Windows clients.

[Saltamontes]

Maybe you'll need snort, or some NSM ( Network Security Monitor ) or IDS (Intruder Detection System) like software ( BASE, SGUIL ), both use SNORT as base and other complementary software, and some "rules" files are used by snort to display warnings like virus activity, logging athempts to DB or privilege scalate athempts ( it means, get unautorized privileges )

Dou you have used ( or see ) Ethereal / Wireshark???
BASE and Sguil looks / works like Wireshark/Ethereal, but you will need some hand work...
i'm can't to the needed software work together yet

Other thing, BASE use Apache / HTML front end, Sguil works on "realtime" Tcl/Tk front end.

See you