From owner-freebsd-security Fri May 28 3:25:31 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id ADC9B14C8B for ; Fri, 28 May 1999 03:25:28 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id DAA21262; Fri, 28 May 1999 03:24:30 -0700 (PDT) Message-ID: <19990528032430.E15594@best.com> Date: Fri, 28 May 1999 03:24:30 -0700 From: "Jan B. Koum " To: ark@eltex.ru Cc: dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990528025007.C15594@best.com> <199905281003.OAA13633@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199905281003.OAA13633@paranoid.eltex.spb.ru>; from ark@eltex.ru on Fri, May 28, 1999 at 02:03:38PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was a brief talk on security-officer@ of using something similar to a simple queue which just keeps a counter of how many packets you see. I am not sure if anything came out of this. I can see a problem where you have to ignore ports for logging -- else your events don't match. For example, if I see a scan from: xxx:random -> yyy:random I have to ignore 'random' ports. (Else all event to log look very different and will only have counter of one). Back to ground zero. Hmm... -- Yan On Fri, May 28, 1999 at 02:03:38PM +0400, ark@eltex.ru wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Yep, something like this one. It does not handle heavy load, though, > nor original log_in_vain does. Actually syslogd does not. So i don't see > any good workarounds, maybe some rate analysers could help.. > > "Jan B. Koum " said : > > > On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > > > nuqneH, > > > > > > I remember a patch was posted here to log all TCP packets that are not part > > > of some known sequence. Really simple thing. > > > > Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt > > one? I need to make it better .. I don't think it handles fast scan rate on > > 100base network well. > > > > -- Yan > > > > > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > > > packets which have SYN bit set. That sucks if you get port scanned by > > > > something like nmap which can use FIN scan for example. (Or some other > > > > stealth scanning technique). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message