From owner-freebsd-security Fri Jun 27 12:03:16 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA08233 for security-outgoing; Fri, 27 Jun 1997 12:03:16 -0700 (PDT) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.51]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA08228 for ; Fri, 27 Jun 1997 12:03:10 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id PAA01026; Fri, 27 Jun 1997 15:02:54 -0400 (EDT) Date: Fri, 27 Jun 1997 15:02:53 -0400 (EDT) From: Brian Mitchell To: Nathan Dorfman cc: freebsd-security@FreeBSD.ORG Subject: Re: ICMP Logging In-Reply-To: <199706271343.JAA04122@limbo.senate.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Fri, 27 Jun 1997, Nathan Dorfman wrote: > Is there a way for the kernel to syslog(3) all ICMP messages? This would serve > two purposes; a) as I have all syslog messages directed to an unused vty I > could observer such DoS attacks in progress and b) if they are stored in the > log files I could use the logs in case the matter needed to be pursued further. > > If this is not a part of the current kernel, it would (IMO) be a very good > addition to -current and -stable. If you *are* planning on adding it soon, > please let me know and I'll hold off my upgrade (I'm currently running 2.2.1- > RELEASE and wanted to upgrade to -stable). > ipfw can do this; also, you could redirect tcpdump to a log file. You could also write a program using raw sockets to log icmp, or do the same with bpf. The latter has an advantage of being able to log icmp directed to any machine on your segment. Brian Mitchell brian@firehouse.net "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt