From owner-freebsd-security  Tue Mar 12 14:59: 0 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mobile.webweaving.org (uds84-60.dial.hccnet.nl [62.251.60.84])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5522137B448; Tue, 12 Mar 2002 14:58:12 -0800 (PST)
Received: from localhost.leiden.webweaving.org (localhost.leiden.webweaving.org [127.0.0.1] (may be forged))
	by mobile.webweaving.org (8.10.2/8.10.2) with ESMTP id g2CMvs210242;
	Tue, 12 Mar 2002 23:57:54 +0100 (CET)
X-Curiosity: Killed the Cat
X-Huis-aan-Huis-deur-sticker: nee-nee
X-Spam: no
X-Passed: MX on Gandalf.WebWeaving.org Tue, 12 Mar 2002 23:57:54 +0100 (CET) and masked
X-No-Spam: Neither the receipients nor the senders email address(s)
	are to be used for Unsolicited (Commercial) Email without the
	explicit written consent of either party; as a per-message fee
	is incurred for inbound and outbound traffic to the originator.
Date: Tue, 12 Mar 2002 23:57:54 +0100 (CET)
From: dirkx@covalent.net
X-X-Sender: dirkx@gandalf.leiden.webweaving.org
To: phk@FreeBSD.ORG
Cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG
Subject: Re: Userland Hacker Task: divert socket listener...
In-Reply-To: <35126.1015973393@critter.freebsd.dk>
Message-ID: <Pine.OSX.4.43.0203122357160.16762-100000@gandalf.leiden.webweaving.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


On Tue, 12 Mar 2002, Poul-Henning Kamp wrote:

> Here is something I miss a lot:
>
> I would like a small program which can listen to a specified divert(4)
> socket and act on the incoming packets.
>
> Specifically I want to direct all unwanted trafic from my ipfw rules
> into the divert socket and have the program examine these packets
> and when configured thresholds were exceeded take actions like:
>
> 	Add a blackhole route for a period of time to the source
> 	IP to prevent any packets getting back to the attacker.
>
> 	Add a blocking ipfw rule for incoming trafic from the
> 	attackers IP# for some period of time.
>
> 	Add a divert ipfw rule for incoming trafic from the
> 	attackers IP# to capture all the tricks he is trying to
> 	do.
>
> 	Log the received packets in detail in pcap format files.
>
> 	Report the packets to Dshield.org

	Reroute/rewrite all my outgoing port 25 mail to some
	magic smart host over an userland ssh connection.

Dw


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message