From owner-freebsd-security Mon Feb 28 15:46:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id D001337B92F for ; Mon, 28 Feb 2000 15:46:15 -0800 (PST) (envelope-from dave@elvis.mu.org) Received: (from dave@localhost) by elvis.mu.org (8.9.1/8.9.1) id RAA72031; Mon, 28 Feb 2000 17:46:19 -0600 (CST) (envelope-from dave) Date: Mon, 28 Feb 2000 17:46:19 -0600 From: Dave McKay To: Lev Serebryakov Cc: All Subject: Re: ipfw log accounting Message-ID: <20000228174619.A71978@elvis.mu.org> References: <1774.000229@imc.macro.ru> Mime-Version: 1.0 Content-Type: multipart/signed; boundary=y0ulUmNC+osPPQO6; micalg=pgp-md5; protocol="application/pgp-signature" X-Mailer: Mutt 0.95.7i In-Reply-To: <1774.000229@imc.macro.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Lev Serebryakov (lev@imc.macro.ru) wrote: > Hi, All! >=20 > Are there some tools to analyze output of "deny log ip from any to > any" ipfw rule and find dangerous activity, like portscans and other? > I want to analyze log every hour, and reset log counters after it. > I don't want to receive messages about every single dropped packet. >=20 > And one more question: > How could I write rule, which skip all broadcast traffic? My > computer is on big provider's net, and here is more than one > broadcast address (many subnets on one wire)... >=20 A tool such as you are asking would be easily written in perl. Just have your ipfw log to a file through syslogd or ipfw itself. Then write a tool to check and analyse the data and send you mail on it every hour. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBOLsIy3Y8vP7IQ1TlAQHGIwQArBTO9mlUSy2vb65l5oHflctgwnij7cU9 Zj5lmqelBuFJ9i5sTJuIUz91+eqZgqc1j6lzNQJlVpfVGlcxXxUQSW3h2PDtzIgr l8KyvqEHt+9kgeb+6V+54FiI88a+SCnmhfLvdDPtphgpreIWbtrQWFedK7uYiJUP BnWgvFMBb+c= =K3vJ -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message