From owner-freebsd-security Tue Mar 12 14:59: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mobile.webweaving.org (uds84-60.dial.hccnet.nl [62.251.60.84]) by hub.freebsd.org (Postfix) with ESMTP id 5522137B448; Tue, 12 Mar 2002 14:58:12 -0800 (PST) Received: from localhost.leiden.webweaving.org (localhost.leiden.webweaving.org [127.0.0.1] (may be forged)) by mobile.webweaving.org (8.10.2/8.10.2) with ESMTP id g2CMvs210242; Tue, 12 Mar 2002 23:57:54 +0100 (CET) X-Curiosity: Killed the Cat X-Huis-aan-Huis-deur-sticker: nee-nee X-Spam: no X-Passed: MX on Gandalf.WebWeaving.org Tue, 12 Mar 2002 23:57:54 +0100 (CET) and masked X-No-Spam: Neither the receipients nor the senders email address(s) are to be used for Unsolicited (Commercial) Email without the explicit written consent of either party; as a per-message fee is incurred for inbound and outbound traffic to the originator. Date: Tue, 12 Mar 2002 23:57:54 +0100 (CET) From: dirkx@covalent.net X-X-Sender: dirkx@gandalf.leiden.webweaving.org To: phk@FreeBSD.ORG Cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Userland Hacker Task: divert socket listener... In-Reply-To: <35126.1015973393@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: > Here is something I miss a lot: > > I would like a small program which can listen to a specified divert(4) > socket and act on the incoming packets. > > Specifically I want to direct all unwanted trafic from my ipfw rules > into the divert socket and have the program examine these packets > and when configured thresholds were exceeded take actions like: > > Add a blackhole route for a period of time to the source > IP to prevent any packets getting back to the attacker. > > Add a blocking ipfw rule for incoming trafic from the > attackers IP# for some period of time. > > Add a divert ipfw rule for incoming trafic from the > attackers IP# to capture all the tricks he is trying to > do. > > Log the received packets in detail in pcap format files. > > Report the packets to Dshield.org Reroute/rewrite all my outgoing port 25 mail to some magic smart host over an userland ssh connection. Dw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message