Date: Wed, 19 Feb 2003 21:04:38 -0500 From: "Michael Scheidell" <scheidell@secnap.net> To: <freebsd-stable@FreeBSD.ORG> Subject: Question about ipfilter logs and I may have a proof of concept patch to fix? Message-ID: <000501c2d884$6d7b1220$0103460a@secnap.com>
next in thread | raw e-mail | index | archive | help
I decided to try ipfilter instead of ipfw and had a question about the logs
and TEXT for the ICMP type rather than an icmp type code.
FBSD 4.8 4.8-PRERELEASE (today's cvs)
Feb 19 19:55:53 scanner ipmon[49]: 19:55:52.897839 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp echo/0 IN
I noticed that on 'other' ipfilter logs that I have seen that log would
look like this:
Feb 19 19:55:53 scanner ipmon[49]: 19:55:52.897839 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp 8/0 IN
Note this from man ipmon:
If the packet is an ICMP packet, there will be two fields
at the end, the first always being `icmp', and the next
being the ICMP message and submessage type, separated by a
slash, e.g., icmp 3/3 for a port unreachable message
started ipmon with:
ipmon_flags="-Ds"
or
ipmon_flags="-Dsp"
I suspect some 'switch' that should be regulated by the -n option is
reversed somewhere.
I have never looked at the code before today, but could it be near line 1059
of /usr/src/contrib/ipfilter/ipmon.c
I note that hostname() takes a 'res' argument (set leter depending on the
RESOLVE switches, -n an d-pP but that icmpname doesn't.
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
hostname(res, v, d), hl, plen,
icmpname(ic->icmp_type, ic->icmp_code));
would something like this fix it? (same would have t be done for the ipv6
part)
maybe fix/change icmpname to take an additional arg, res.
(i didn't want to go through all the source to test it)
if (res) {
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
hostname(res, v, d), hl, plen,
icmpname(ic->icmp_type, ic->icmp_code));
} else {
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %hu/%hu",
hostname(res, v, d), hl, plen,
ic->icmp_type, ic->icmp_code);
}
possible proof of concept patch to fix?
--- ipmon.c.orig Thu Nov 21 21:07:50 2002
+++ ipmon.c Wed Feb 19 20:58:55 2003
@@ -1054,9 +1054,15 @@
ic = (struct icmp *)((char *)ip + hl);
(void) sprintf(t, "%s -> ", hostname(res, v, s));
t += strlen(t);
+ if (res) {
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
hostname(res, v, d), hl, plen,
icmpname(ic->icmp_type, ic->icmp_code));
+ } else {
+ (void) sprintf(t, "%s PR icmp len %hu %hu icmp %hu/%hu",
+ hostname(res, v, d), hl, plen,
+ ic->icmp_type, ic->icmp_code);
+ }
if (ic->icmp_type == ICMP_UNREACH ||
ic->icmp_type == ICMP_SOURCEQUENCH ||
ic->icmp_type == ICMP_PARAMPROB ||
note, after patch it seems to be consistant with man, can be parsed with
'most' ipmon parse scripts.
Why should this not be there?
cd /usr/src
make most
killall ipmon
/usr/obj/usr/src/sbin/ipmon/ipmon -Dsp
tail -f /var/log/firellog:
Feb 19 20:36:38 scanner ipmon[50]: 20:36:38.155242 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp echo/0 IN
Feb 19 21:02:29 scanner ipmon[573]: 21:02:29.744779 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp 8/0 IN
Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000501c2d884$6d7b1220$0103460a>