Date: Fri, 28 May 1999 13:42:56 +0400 From: ark@eltex.ru To: jkb@best.com Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger Message-ID: <199905280942.NAA13537@paranoid.eltex.spb.ru> In-Reply-To: <19990528023139.A15594@best.com> from ""Jan B. Koum " <jkb@best.com>"
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
nuqneH,
I remember a patch was posted here to log all TCP packets that are not part
of some known sequence. Really simple thing.
"Jan B. Koum " <jkb@best.com> said :
> On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer <dada@balu.kfunigraz.ac.at> wrote:
> > On Tue, 25 May 1999, Jason Garman wrote:
> >
> > > Last time I used this option (2.2.8-RELEASE), it only logged the packet
> > > headers to syslog. Something like this:
> > >
> > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port
> > >
> > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing
> > > for TCP packets.
> > >
> >
> > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting.
> > Enabling them can generate huge amounts of LOG_INFO messages during
> > port scans.
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
>
> You should also note that net.inet.tcp.log_in_vain will ONLY log
> packets which have SYN bit set. That sucks if you get port scanned by
> something like nmap which can use FIN scan for example. (Or some other
> stealth scanning technique).
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBN05lHaH/mIJW9LeBAQGPRAP/Ro2/SqP5ELJDyGEMREfypU27m6P28iex
6T4axzhfcW4JRm4/9rIyVbBDxFWv5P42sPKWXXHptZZcqdy73zVjLTI1qrJ1vBek
/pu8cNChP1uvx3NT1ydduWImXwqmbHb+bqd9XYgYoXNy32h5oVa9ppKzOkuU9yUO
ZFxxtlamiH4=
=uV6A
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905280942.NAA13537>