From owner-freebsd-stable  Wed Feb 19 18: 4:45 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3ECB937B401
	for <freebsd-stable@FreeBSD.ORG>; Wed, 19 Feb 2003 18:04:42 -0800 (PST)
Received: from mail.secnap.net (mail.secnap.net [208.237.120.134])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2CEB043F85
	for <freebsd-stable@FreeBSD.ORG>; Wed, 19 Feb 2003 18:04:41 -0800 (PST)
	(envelope-from scheidell@secnap.net)
Received: from MIKELT (mikelt.secnap.net [10.70.3.1])
	by mail.secnap.net (8.11.6+Sun/8.11.6) with SMTP id h1K24dN27090
	for <freebsd-stable@FreeBSD.ORG>; Wed, 19 Feb 2003 21:04:39 -0500 (EST)
Message-ID: <000501c2d884$6d7b1220$0103460a@secnap.com>
From: "Michael Scheidell" <scheidell@secnap.net>
To: <freebsd-stable@FreeBSD.ORG>
Subject: Question about ipfilter logs and I may have a proof of concept  patch to fix?
Date: Wed, 19 Feb 2003 21:04:38 -0500
Organization: Secnap Network Security, LLC.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I decided to try ipfilter instead of ipfw and had a question about the logs
and TEXT for the ICMP type rather than an icmp type code.

FBSD 4.8 4.8-PRERELEASE (today's cvs)

Feb 19 19:55:53 scanner ipmon[49]: 19:55:52.897839 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp echo/0 IN

I noticed that on 'other' ipfilter logs that I have seen  that log would
look like this:
Feb 19 19:55:53 scanner ipmon[49]: 19:55:52.897839 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp 8/0 IN

Note this from man ipmon:
If  the packet is an ICMP packet, there will be two fields
       at the end, the first always being `icmp',  and  the  next
       being the ICMP message and submessage type, separated by a
       slash, e.g., icmp 3/3 for a port unreachable message

started ipmon with:
ipmon_flags="-Ds"
or
ipmon_flags="-Dsp"

I suspect some 'switch' that should be regulated by the -n option is
reversed somewhere.

I have never looked at the code before today, but could it be near line 1059
of /usr/src/contrib/ipfilter/ipmon.c

I note that hostname() takes a 'res' argument (set leter depending on the
RESOLVE switches, -n an d-pP but that icmpname doesn't.
(void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
                        hostname(res, v, d), hl, plen,
                        icmpname(ic->icmp_type, ic->icmp_code));

would something like this fix it? (same would have t be done for the ipv6
part)
maybe fix/change icmpname to take an additional arg, res.
(i didn't want to go through all the source to test it)

                if (res) {
                (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
                        hostname(res, v, d), hl, plen,
                        icmpname(ic->icmp_type, ic->icmp_code));
                } else {
                (void) sprintf(t, "%s PR icmp len %hu %hu icmp %hu/%hu",
                        hostname(res, v, d), hl, plen,
                        ic->icmp_type, ic->icmp_code);
                }

possible proof of concept patch to fix?

--- ipmon.c.orig        Thu Nov 21 21:07:50 2002
+++ ipmon.c     Wed Feb 19 20:58:55 2003
@@ -1054,9 +1054,15 @@
                ic = (struct icmp *)((char *)ip + hl);
                (void) sprintf(t, "%s -> ", hostname(res, v, s));
                t += strlen(t);
+               if (res) {
                (void) sprintf(t, "%s PR icmp len %hu %hu icmp %s",
                        hostname(res, v, d), hl, plen,
                        icmpname(ic->icmp_type, ic->icmp_code));
+               } else {
+               (void) sprintf(t, "%s PR icmp len %hu %hu icmp %hu/%hu",
+                       hostname(res, v, d), hl, plen,
+                       ic->icmp_type, ic->icmp_code);
+               }
                if (ic->icmp_type == ICMP_UNREACH ||
                    ic->icmp_type == ICMP_SOURCEQUENCH ||
                    ic->icmp_type == ICMP_PARAMPROB ||

note, after patch it seems to be consistant with man, can be parsed with
'most' ipmon parse scripts.
Why should this not be there?

cd /usr/src
make most
killall ipmon
/usr/obj/usr/src/sbin/ipmon/ipmon -Dsp
tail -f /var/log/firellog:
Feb 19 20:36:38 scanner ipmon[50]: 20:36:38.155242 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp echo/0 IN
Feb 19 21:02:29 scanner ipmon[573]: 21:02:29.744779 fxp1 @0:16 b
207.18.92.26 -> 208.237.120.133 PR icmp len 20 84 icmp 8/0 IN
Michael Scheidell
SECNAP Network Security, LLC
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message