Date: Fri, 28 May 1999 03:24:30 -0700 From: "Jan B. Koum " <jkb@best.com> To: ark@eltex.ru Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger Message-ID: <19990528032430.E15594@best.com> In-Reply-To: <199905281003.OAA13633@paranoid.eltex.spb.ru>; from ark@eltex.ru on Fri, May 28, 1999 at 02:03:38PM %2B0400 References: <19990528025007.C15594@best.com> <199905281003.OAA13633@paranoid.eltex.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
There was a brief talk on security-officer@ of using something similar to a simple queue which just keeps a counter of how many packets you see. I am not sure if anything came out of this. I can see a problem where you have to ignore ports for logging -- else your events don't match. For example, if I see a scan from: xxx:random -> yyy:random I have to ignore 'random' ports. (Else all event to log look very different and will only have counter of one). Back to ground zero. Hmm... -- Yan On Fri, May 28, 1999 at 02:03:38PM +0400, ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Yep, something like this one. It does not handle heavy load, though, > nor original log_in_vain does. Actually syslogd does not. So i don't see > any good workarounds, maybe some rate analysers could help.. > > "Jan B. Koum " <jkb@best.com> said : > > > On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > nuqneH, > > > > > > I remember a patch was posted here to log all TCP packets that are not part > > > of some known sequence. Really simple thing. > > > > Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt > > one? I need to make it better .. I don't think it handles fast scan rate on > > 100base network well. > > > > -- Yan > > > > > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > > > packets which have SYN bit set. That sucks if you get port scanned by > > > > something like nmap which can use FIN scan for example. (Or some other > > > > stealth scanning technique). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990528032430.E15594>