From owner-freebsd-security  Fri May 28  2:44: 5 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eltex.ru (ELTEX-2-SPIIRAS.nw.ru [195.19.204.46])
	by hub.freebsd.org (Postfix) with ESMTP id 8253514F84
	for <security@FreeBSD.ORG>; Fri, 28 May 1999 02:44:01 -0700 (PDT)
	(envelope-from ark@eltex.ru)
Received: from border.eltex.spb.ru (root@border.eltex.ru [195.19.198.2])
	by eltex.ru (8.8.8/8.8.8) with SMTP id NAA21987; Fri, 28 May 1999 13:43:51 +0400 (MSD)
Received: by border.eltex.spb.ru (ssmtp TIS-0.5alpha, 19 Oct 1998); Fri, 28 May 1999 13:43:08 +0400
Received: from undisclosed-intranet-sender id xma026984; Fri, 28 May 99 13:43:06 +0400
Date: Fri, 28 May 1999 13:42:56 +0400
Message-Id: <199905280942.NAA13537@paranoid.eltex.spb.ru>
In-Reply-To: <19990528023139.A15594@best.com> from ""Jan B. Koum " <jkb@best.com>"
From: ark@eltex.ru
Organization: "Klingon Imperial Intelligence Service"
Subject: Re: TCP connect data logger
To: jkb@best.com
Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

I remember a patch was posted here to log all TCP packets that are not part
of some known sequence. Really simple thing.

"Jan B. Koum " <jkb@best.com> said :

> On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer <dada@balu.kfunigraz.ac.at> wrote:
> > On Tue, 25 May 1999, Jason Garman wrote:
> > 
> > > Last time I used this option (2.2.8-RELEASE), it only logged the packet
> > > headers to syslog.  Something like this:
> > > 
> > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port
> > > 
> > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing
> > > for TCP packets.
> > > 
> > 
> > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting.
> > Enabling them can generate huge amounts of LOG_INFO messages during
> > port scans.
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> 
> 	You should also note that net.inet.tcp.log_in_vain will ONLY log
> packets which have SYN bit set. That sucks if you get port scanned by
> something like nmap which can use FIN scan for example. (Or some other
> stealth scanning technique).

                                    _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBN05lHaH/mIJW9LeBAQGPRAP/Ro2/SqP5ELJDyGEMREfypU27m6P28iex
6T4axzhfcW4JRm4/9rIyVbBDxFWv5P42sPKWXXHptZZcqdy73zVjLTI1qrJ1vBek
/pu8cNChP1uvx3NT1ydduWImXwqmbHb+bqd9XYgYoXNy32h5oVa9ppKzOkuU9yUO
ZFxxtlamiH4=
=uV6A
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message