On 1/20/06, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote:
> A friend has a Linux machine with many users.  Suppose one or more users
> is doing inappropriate things with the box like sending ping floods or
> scanning networks.  He would want to know about it.  Is there any software
> that is designed specifically to monitor for this kind of stuff and report
> when it sees something unusual?  A program like netstat can detect all
> sorts of network activity, but it would have to be called at intervals and
> its output would have to be parsed and analyzed by some other programs.

First off - a little rant.  If your friend can't trust his shell
users, they have no right to be on that box.  If he has *any* question
whatsoever about their usage of the box, they should either be denied
shell access until the details get sorted out or use a very limited
shell.  He could possibly think about using PKI auth with a limited
command set.  There are countless guides on the internet on this
subject.

I haven't had specific experience with Intrusion Detection Systems,
but it seems like this would be the perfect application for one. 
Snort comes to mind.  They're specifically designed to scan for and
detect this sort of behavior, though I don't think they have the
ability to be able to tell which user kicked off a portscan/ping
flood/whatever.

-Erik