From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 16 00:17:27 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5954A16A4CE
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 00:17:27 +0000 (GMT)
Received: from beck.quonix.net (beck.quonix.net [146.145.66.90])
	by mx1.FreeBSD.org (Postfix) with ESMTP id EE47C43D39
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 00:17:26 +0000 (GMT)
	(envelope-from john@essenz.com)
Received: from beck.quonix.net (localhost [127.0.0.1])
	by beck.quonix.net (8.12.11/8.12.11) with ESMTP id iBG0HJeJ080032;
	Wed, 15 Dec 2004 19:17:19 -0500 (EST)
Received: from localhost (essenz@localhost)iBG0HJFT080029;
	Wed, 15 Dec 2004 19:17:19 -0500 (EST)
X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs
Date: Wed, 15 Dec 2004 19:17:19 -0500 (EST)
From: John Von Essen <john@essenz.com>
X-X-Sender: essenz@beck.quonix.net
To: ctodd@chrismiller.com
In-Reply-To: <Pine.BSI.4.58L.0412151602420.3132@vp4.netgate.net>
Message-ID: <20041215191327.V79963@beck.quonix.net>
References: <20041215184645.B79679@beck.quonix.net>
 <Pine.BSI.4.58L.0412151602420.3132@vp4.netgate.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-SpamAssassin-3.0.1-Score: -2.82/6 ALL_TRUSTED
X-MimeDefang-2.48: beck.quonix.net
X-Scanned-By: MIMEDefang 2.48 on 146.145.66.90
cc: hackers@freebsd.org
Subject: Re: brute3.tar.gz
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2004 00:17:27 -0000

Hmm... Interesting.

What if I try to redirect the output of tcpdump to a file. I am doing this
on a f5 BigIP which sort of runs a "FreeBSD-ish" kernel.

I've tried:

tcpdump -i exp1 port ssh | grep -v '63.123' | grep -v 'lb01'
>/var/ssh.capture

But it never rights to the file. The above will capture the next
unauthorized ssh and allow me to identify the source machine.

-john

On Wed, 15 Dec 2004 ctodd@chrismiller.com wrote:

>
> Think this might be it?
>
> http://netgroup-serv.iet.unipi.it/brute/
>
> Just searched Google on brute.tar.gz
>
> Chris
>