From owner-freebsd-security@FreeBSD.ORG  Wed Mar  3 06:55:16 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 51A0716A4CE
	for <freebsd-security@FreeBSD.ORG>;
	Wed,  3 Mar 2004 06:55:16 -0800 (PST)
Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F1D7043D46
	for <freebsd-security@FreeBSD.ORG>;
	Wed,  3 Mar 2004 06:55:15 -0800 (PST)
	(envelope-from patpro@patpro.net)
Received: from [192.168.0.1] (cassandre [192.168.0.1])
	by boleskine.patpro.net (Postfix) with ESMTP
	id 02B1C2A9; Wed,  3 Mar 2004 15:55:14 +0100 (CET)
In-Reply-To: <20040303094647.J93367@zoraida.natserv.net>
References: <20040303094647.J93367@zoraida.natserv.net>
Mime-Version: 1.0 (Apple Message framework v612)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <C6629861-6D22-11D8-AE61-0030654D97EC@patpro.net>
Content-Transfer-Encoding: 7bit
From: Patrick Proniewski <patpro@patpro.net>
Date: Wed, 3 Mar 2004 15:55:13 +0100
To: Francisco Reyes <lists@natserv.com>
X-Mailer: Apple Mail (2.612)
cc: Liste FreeBSD-security <freebsd-security@FreeBSD.ORG>
Subject: Re: How to monitoring activity on a card?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2004 14:55:16 -0000

On 03 mars 2004, at 10:51, Francisco Reyes wrote:

> My setup 4.9 stable with IPFW. Machine acts as gateway for two 
> machines.
>
> What are my options on monitoring activity on my external card?
>
> This morning I noticed my DSL modem activity light is blinking 
> non-stop.
> Looking at /var/log/ don't see anything suspicious.
>
> I feel tempted to add "log" to all my ipfw pass rules, but wonder if 
> there
> isn't a better way.
>
> I am mostly concerned there is either some kind of attack going on or
> somehow the machine was hacked and it's running something it's not
> supposed to.


If you really want some real-time control, you might want to try 
tcpdump, But you'll soon be flooded by the data.
Best practice it probabely to put some log rules to your IPFW and then 
use a log parser to get some stats from your that.
You can also add an IDS of some sort, and checkrootkit on a crontab.

patpro
-- 
je cherche un poste d'admin-sys Mac/UNIX
(ou une jeune et jolie femme riche)
http://patpro.net/cv.php