From owner-freebsd-questions Wed Nov 8 21: 8:36 2000 Delivered-To: freebsd-questions@freebsd.org Received: from planw-22-181.pompano.net (planw-22-181.pompano.net [24.26.22.181]) by hub.freebsd.org (Postfix) with ESMTP id 4A15B37B479 for ; Wed, 8 Nov 2000 21:08:27 -0800 (PST) Received: (from pchampon@localhost) by planw-22-181.pompano.net (8.9.3/8.9.3) id AAA13747 for freebsd-questions@freebsd.org; Thu, 9 Nov 2000 00:08:26 -0500 (EST) (envelope-from pchampon) Date: Thu, 9 Nov 2000 00:08:26 -0500 From: Phil C To: freebsd-questions@freebsd.org Subject: ipfw/database/logging development Message-ID: <20001109000826.B13677@planw-22-181.pompano.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have been pondering over the past few days, if would be more sensable to develop something one way or the other... Anyone interested in commenting please do.... I wanted to initially write a perl script to monitor /var/log/security for user defined ongoing's of ipfw. I was then going to use this data in a database, which would expire entries after a defined amount of time. The database (using MLDBM), could keep track of each ip which, for example was blocked, the port(s) they tried to connect from/to and when... Monitoring scans, both immediate and those gradually building over time would be simplified greatly... (on a cable network I find myself under a regular barrage of various intrusion attempts etc ranging from doze based attempts, like sub7 scans to scans of ftp ssh portmap etc... ...) Though since the idea's inception it occured to me that grabbing the logs could mean that I would miss data. (ie if I am scanned by let's say nmap -- default mode -- with a denial on tcp connnections at logamount 1000 that limit will fill up pretty quick). This while simple and for the most part effective has become rather unappealing... My other thought was to somehow use perl's XS to write some functions etc in C and translate them into perl subs. But to do this (I have not figured out all of the logistics yet...) I would have to create a daemon that either polled the kernel somehow or ... Dunno what... The design model here is incomplete but it seems to be the most appealing, because of the flexability ... and quite frankly the challenge... But good documentation for this has been hard to come by... So am I on crack... ???? What I am looking for here... is someone to either tell me I am reinventing the wheel... a place for good ipfw docs (I am already sub'ed to freebsd-ipfw, just in case)... or perhaps a better design method... if you feel there is one. Thanks, Phil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message