From owner-freebsd-security  Mon Aug 17 02:11:12 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA10644
          for freebsd-security-outgoing; Mon, 17 Aug 1998 02:11:12 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA10619
          for <freebsd-security@FreeBSD.ORG>; Mon, 17 Aug 1998 02:11:06 -0700 (PDT)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199808170911.CAA10619@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA077115021; Mon, 17 Aug 1998 19:10:21 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: ipfw log limits by connection vs. rule
To: andrew@squiz.co.nz
Date: Mon, 17 Aug 1998 19:10:20 +1000 (EST)
Cc: avalon@coombs.anu.edu.au, j@lumiere.net, freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980817201412.344A-100000@aniwa.sky> from "Andrew McNaughton" at Aug 17, 98 09:02:23 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from Andrew McNaughton, sie said:
> 
> On Mon, 17 Aug 1998, Darren Reed wrote:
> 
> > In some mail from Andrew McNaughton, sie said:
> > [...]
> > > I've had this in mind for a while, but not yet had the time to write it.
> > > Has anyone got a script set up to summarise this stuff as it comes in?
> > 
> > The most recent versions of IP Filter `compress' log entries for "similar"
> > packets.  That is, if someone sent a flood of 50 ICMP packets (all the
> > same) at you, with no other packets in between, it may become 1 log entry.
> 
> It's a good feature.  I had thought  that this feature was provided by
> syslogd rather than ipfw?

What I described is in IP Filter, not ipfw nor syslogd (which has its
own).

> Etc etc.  Doing it properly would take a bit of work in recognising the
> signatures of various kinds of attacks, and deciding what details need to
> be reported, but it need not all be done at once to be valuable.

IDS type work.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message