From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 16 09:14:02 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9507316A4CE
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 09:14:02 +0000 (GMT)
Received: from mail06.syd.optusnet.com.au (mail06.syd.optusnet.com.au
	[211.29.132.187])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DF46A43D3F
	for <hackers@freebsd.org>; Thu, 16 Dec 2004 09:14:01 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
	(c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229])
	iBG9DqLq026924
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 16 Dec 2004 20:13:54 +1100
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au
	[127.0.0.1])iBG9DqxP092024;	Thu, 16 Dec 2004 20:13:52 +1100 (EST)
	(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)iBG9DpuF092023;
	Thu, 16 Dec 2004 20:13:51 +1100 (EST)	(envelope-from pjeremy)
Date: Thu, 16 Dec 2004 20:13:51 +1100
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: John Von Essen <john@essenz.com>
Message-ID: <20041216091351.GD91817@cirb503493.alcatel.com.au>
References: <20041215184645.B79679@beck.quonix.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20041215184645.B79679@beck.quonix.net>
User-Agent: Mutt/1.4.2i
cc: hackers@freebsd.org
Subject: Re: brute3.tar.gz
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2004 09:14:02 -0000

On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
>Whatever this thing is, its tricky. It only runs a few times a day, so it
>is tough to find the culprit source with ethereal unless I run ethereal
>all day. In packet capture mode.

Depending on how much disk space you have spare on your firewall and
how much ssh traffic you get normally, running "tcpdump -w ... port 22"
for a day or so may be feasible.  You can add the target boxes address
to the filter and you won't get anything except the culprit address.
(Of course, permanently running tcpdump may or may not be practical for
other reasons).

-- 
Peter Jeremy