Date: Tue, 12 Mar 2002 17:12:54 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Poul-Henning Kamp <phk@FreeBSD.ORG> Cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Userland Hacker Task: divert socket listener... Message-ID: <20020312171254.H29705@blossom.cjclark.org> In-Reply-To: <35126.1015973393@critter.freebsd.dk>; from phk@FreeBSD.ORG on Tue, Mar 12, 2002 at 11:49:53PM %2B0100 References: <35126.1015973393@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On Tue, Mar 12, 2002 at 11:49:53PM +0100, Poul-Henning Kamp wrote:
>
> Here is something I miss a lot:
>
> I would like a small program which can listen to a specified divert(4)
> socket and act on the incoming packets.
>
> Specifically I want to direct all unwanted trafic from my ipfw rules
> into the divert socket and have the program examine these packets
> and when configured thresholds were exceeded take actions like:
>
> Add a blackhole route for a period of time to the source
> IP to prevent any packets getting back to the attacker.
>
> Add a blocking ipfw rule for incoming trafic from the
> attackers IP# for some period of time.
>
> Add a divert ipfw rule for incoming trafic from the
> attackers IP# to capture all the tricks he is trying to
> do.
>
> Log the received packets in detail in pcap format files.
>
> Report the packets to Dshield.org
>
> etc.
>
> Any takers ?
I wrote a framework for something like that a few months ago during a
fit of boredom. Meet dpcd, the Divert Packet Capture Daemon. I don't
even remember if I left the code in a working state. I'm sure I had
writing pcap(3) files working at one point.
Tarball of what I got attatched.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
[-- Attachment #2 --]
�a<�[{w֖Sq{[p ?\ih
YmÎ>9z7I"dw{|8l
O
uspx9ĵ8>j">2]ɒԎyt߯7KƛptA*?xzxpNgHT>rO~g'OO:5f]k0?s\{Ak9=o(^u.c2M#V^+7[ ).qU1zgIMƗ/ēWv�Ya 2_N:Z|mnh8D
:ว>|o8#۹Rѳi{o{(4
^v'~OʳTyZ
~FGp#?\EgԂhBS8IS`O.XOc;xIBX3UQJLj![J0WzD
~&8"DĐhE];[Fm
سS&>IiSeIexN^·@Vef<8U5jXBd9wDzK1XػCd$wK).LRv JOč^ДƢJG{"$ I1"]\ڋA
O}&%"YFY#dđ
' tvtVI=GقٱIB-1
9d"DAA`
gBA;\
5
^SwQ1ɌF#FYxJbLE(-phMY
0
wKf~pR
k
AtCp#'[c� qw%@
l4
ê|X6i.ܨa|dE,P5
ӡ87Z H1_ŽbaKt/cE2Vtdn
2āV8 [yh$x> b;;v)9DẼhX!v s汥6E-^~7
`qtdH>̃;ڋ}0_-уވ6*g;=!/?l icE<4UnnsQ$TWf~H DҔDQ2,J{3PV{o}NKK
(
]=+U8(8(<^
p\
0
>(|5
籀8ffJ:@IʒX4)@GFHF5(3l
[Tn(rDVn ӗ(
'ó.~k;8}
ӱuz5
'N/Dwǿ
n46'1
rta0eN.M0b0
Қbt$$
eKs{Sfgt@+F]]t
ft5
' v֤wѵ.M 96{
{zaJ׀26{S⣸AD )&#gх MÀ=1
As0Uy@ycЙ\Njjϒo9y..l˴ۤ�9PjbԬ
FSk8hW hx;
0ېp�<X37&$ ؛
įֹ9ZDCʚ
(̚&KnION^UC֙u�F0Ѱ{/
1L<DlQ~iCόVC'fpgMތ
(h
] R
`t5{kG{5:2y=&ք.]Z#эwiּF5 -t
ża
}s[}+:5#)9=S6}tsC=.V՜84TLUlhPx92XnR$@5d,"BYN5j*96!UH3|E<
G:3\ÎFk2֩+%!ge{juM"bB%aNf^z#{P:($D
[R4V=#WV@֨Y2,@s_Zlѡ
h^XnSxju|閁[h:]2.ji
/uZjAT#EBOeuhPj$_W/]rQV$'C[<MÆ[Yb9
ē^O}]dfN86dJ>.
iA+MؖQS'$E8hM3fҾa49ӽu(d
*
v
:P1W&개vV(拾F
}mIJ@
ʭ
d$>J)FҒX``sRzVzקxCU*z7f.(d
AZlޙ,-wR;
I1k'osyd"XQ+f+Jen
U&ra J`KV=ҌPC"%y
gȭa4J
\CO:m=@%S$w0Vg!{mMdHoQ'H ۔a&ۦaa
赙%
�M`
8pu!mWvP1yejCi=\9es
3?f~�ZZDcE3jܥ%zGC
9erHpNUdAʇDEubvOɴ
H%!E%Y
x=!4#Peu*
`>A1j#9x1X-�ufh\Ð[@0KH4+"!2BM\{3 _4WIMXRmH~O
ʂ"QGG+r
^Hl7=f;Ka,1"
-
8@}lzɚ %b
-s*(nD5"XFxqq/XuQpν
rYx("'ٲ*,{]t
#Y!j:٨@Q(Ԑ@r{
a{!<GC%9nv*D
̈B(eJJ&@�r<<RaeX/
tT!#ULU`
QZEw(M<y Sy4^0CO)<EUېǩ2**RfF4RW6q4'[$HÏ+
dCEϫfnG$XnqΦ
DjX
JsTRD'2wa5<[_ɰbKȬ_68bN>*VfM qcyk,gt秘#ç4?b_
>fFOq�y?`|ӢA�w?0{L 背xsOF1cC5쵏E}r99*a|'{bOkƲVCtߵ~
w״^^[
*K`lpgե.7Bek{k͏F
D"A3
ܪHvŰ)zbxhDv-ŨiӨ]W14п`ti}nP#MdN&n4Zu(^_w;pxѤ
Vm=Y&ymz/BVlR66wBRi~uE)U(5
NѠhI,7/4N%«
:JWwvJH\:ıKD!Si+LK-mSڮ\su
58J|7Ns/S4ܧki\5D>/p!;|#N
4
qq}
B
5P\]RPs2K]_vu{0?<WݼmGzBBNk1}Kx7n/DG@u&zS
dkk
_zu~s+z._?h|/bo!?Sj0"a>M8Axk
~lqnJ=:
T0me Q-I : `KqQ'7d}h Q6` J4g)TBH͡)/NĵH58J
2=K~wej'fhoPUՕP<L+݂ʫC
Iqֵ"@:34<ADE=M
L5d7u j
ѣPrkS~o=BB֨&ɫ/#EG
o;iDY&ϧ\Vxlxa*E8m
dF?}9@ix.̇eez\1GTձ�"toB1
`Ksh
ApD
ϜeDXd
~Ѽ^9NR'e*hSTt4uah4z^HOyyi<h٬9
s
6N.%Nɥu$8+3wx3v&=eUmO2c4Z&<TvUD*E'O
D92@Ʈ`J۵ +2Y|94vV\{5o}Q*r9/l|A
dMHXj*siq Ws&hd"
X
=6f'sJ.*%F`= ƻl\y4JBVL=^ήAS;z}]txݷCO\^D12,B#Q$H%i+8Jd{t5
y-\CpymTû
9}7U; [<SÒ_iFF=xۭV݆�]4t#$Y*8Al=IU!iGHG)w6CA\Z
2JS}-zuIHԯ|&n
MVTcfz4j9EwRg3
w^䤯w%ڶUQqC\QhoJ˲R)7B]
VB}+%ҳ(y5TI
_rDoq* ߯,E0M6S b
/N
\PRfab3Cwa- z=xG*nAOanyQCYÌ=^P9_q0O
*m+Ȍ,3l&
;_6s;eOC7}?<-_W*u<կU*S
^s
䜅&K;_ܔKdE1=?Tj=,Je#T�n\vH uc$e[!-r
`d
4 ҿtCʪDUEFIވ5>SB!fjVol^#4JȒy.xkKߤxp[GO)�!G$_4[Qv
$=[{,I7M|v
/[`8
StgKa?$7'o˳W[f4=t$ n=EY$sH,
{
O X
I+ ww<*C펉1#\/\+ךbq`23ՌҠչ'0[ϼzϟQaOkmy[
?VM^<@.)Q^aҫzIyo@$*qtxY}bݥ
j
\ބҰ/-!VȂE
GOggb
Mݴ
ʲXV.`@ёn
I^{wlmS(~%WQW@edT~cƦGF[hF z
04
Mq8�G1% =hWv)
cTpNVDE
ZVC
g=+㦅gXR+TWY}=w35F^J{j=EuJٝta[wxL
?,�~ҙMT̓?o/M7SvE2@33-B
nnm|ӧ&_ybm̂7Sdfߑ2RS2.Ϯ^9+?Z&>/(K]r6Zt6*U$Aa�HQ
A/Fy
5Fj\)Q3ipC@eۥ5>y
?q`U&eE>l8 ѻBi@
@8\%4V7
W4COTA(-X
G
O! hkMPlXxШՓhhondWA0Ǔzb&3N478z=ΟbJ%>
VT
â̫o*QS)3IFRMY@T]m
:
v"@t^?aDZ
85nQ6@$
>\
t
/
Kga忣
?Έ~DžhwThGѢwl!ۍ1B{}PN>O::A+~܁
AyQ8(`o6,8#<"sSd7nZ"Ϸf9j2I
5#꠆0L"dVqԽ"k1l"wYӺESz.ù9m3
{m7m#[Ui|9'Ǜ+ 2[Bvtq'Î5BqݓwP{u�J\wp;AKSI~y)i)5≶kGDc
7?$$w.<d-^OB'I
zE^9@dfg.
$6q;Cb|<}eOuuq0r<
-P!ˏ?q�SJujVC<
G3�rjN.a�dLf\EP!Hj]y'<CB
㷢W3
2zjd.d%.b
23)I\ϣX
YV&RȈ/+feU%
1kÎ_^7ʹK^U6rXIuKR//يc8S`B>
k�J-v/~*-nTD)#ʍrIk5$R4FNѿ!yo
>&t-
DjM{{c
6^
2 eΒc%$tйR_ʅ {UG}I#9Oꟷm5G?%媼V3w?m|QQ살~Y.@"~^|
aC;@4G}J?:0
a7s_
nPnj-
;<iSf]usO\B#4RkZnPF&=ȓs_�K6HhnJ^JE8*y:
yG)+\ k+t,r?CS^Vj%
LOo
l{$ ˂Xn?,( 5,(d
LeZ,ɄX-$PTs)2!4X8I&izpLHm"&bIibF
Sxsꥪ6ILuHOB{Z
l(\QDQJErȤ@>e|Iyrmۣ1ӵj)÷33!a-~Өҹ.&DK\
[ti,/;J'}1
8方A
Ń
*N'8/fR2QARoj'M
$%6*n7+N
gDB*
&&/IW7=X]4` !Ibc)i#S 9iz.{̇?3%硫)_cf^ʤUOe_fvώ*iy3�*4DPE D>'`vZ rM8F"X$[E1#p|O$ЭDJ'df0H 0O[0H;lw]Laq >m|}̭TL̋tt
UUm81tIKhNħ3@:\\$xfqҰ<mZ11}DUknMs^=6·
zr\z>xO1/aHMXPLit5ٝxp0
G>0_Z2}~o@'\Ӧ
pXRɿG/
�M i@ٜsjjɤ8*ln[hKhSFmzɮ?Khj?
C/GO3|bOC*YB~aA�N"DY2N
nnS:r~ofjlk<C2u=˄߮
cˇ_7%w0
h90k23BفA8
bK
7AiL<cԹ:֫
:][k4j
L'3?3? ])/(+*Ҝ
^
)@V[
>qbjYpR9W/6cYnqQpҀҭQpXoV)~$Ϝpi[48ɼɁGj�3"EW6Ҽ h鞻D\h-0-=Na*@?Ӫuƙpi:_BxoM
hBgE,)X%�*w' 0X~M@W=a@i:>˲KFc{crJQ6j
r=ēf
p`�,0*}w
xճsGN~?shȹ{~«f,͝ן?a0w 6U[X9^;jt^
+JmAJ=D-H
+ў
t"*s"?q~~-?6v 9. 2ҟJOnIA %A.t`Hbȯ+h1DM~V-'M4HO3>)nt6XCB(ye!RںBTqM163k!P,W٨%
U603Ld�:_&]6FBEq"qehOk_k/nLcV
4Jsɜp A+hS6e25,14QJ7*9DkL0qǐUؙhyd,Ӊ(Èwt#FDm !a訐HY LοXEm1ػܔe
)Js
(& k~v:q' owd=} }i
Z,0ұ2i9Av/~
ucӣQ
(
~6k"?-R
|ћ2(jGg5l (u z|4cHyਔԗ/_@i<>';Tg3,?TՁ m}Jq>
C3bdfycaQEA Ngcd+Vbú
RuZ
Q+)He/}?^#x.Q Z)KyKHa
S=& yj|qtz1IQ#|*L㳯p*
wi)ZW }_v66\
w$-GO cպYR*aq̆C+|nsQۼlcx"
-]k/gûϵu"˪QA}>uIu
uĒ ,uEXs1f2:qSH[3.q}և.;u"l)Y
Zl>xbgъ[,옑LC7 ?lB#M`{<,D'E*̹xĶtۣmjN]~j,s
B
DS8&b@RSi3S/&DKP#Ӻ9G㠕FN`D
_Lɚ
$FGZN>i!FTfZG4M~cT
M%D͉O&gBXrEkO*
nTaө#:
X-Ii1pDoMf`)gЏyߵ?_k*W*F=;}';3
)O|<{'{g]
���
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020312171254.H29705>