From owner-freebsd-security  Thu Dec  6  4: 8:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7E54737B417; Thu,  6 Dec 2001 04:08:26 -0800 (PST)
Received: from fazendinha (ressacada.melim.com.br [200.215.110.4])
	by salseiros.melim.com.br (Postfix) with SMTP
	id 0A8F0BAE4; Thu,  6 Dec 2001 10:08:19 -0200 (BRST)
Message-ID: <00c001c17e4e$f14cb6d0$2aa8a8c0@melim.com.br>
From: "Ronan Lucio" <ronan@melim.com.br>
To: "Crist J . Clark" <cjc@FreeBSD.ORG>
Cc: <security@FreeBSD.ORG>
References: <02f601c17dab$85743670$2aa8a8c0@melim.com.br> <20011205135449.E3061@blossom.cjclark.org>
Subject: Re: Securty logs
Date: Thu, 6 Dec 2001 10:10:06 -0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi Cris,

> > If I have icmp 8,0 denied for external computers, when
> > someone pings, it create an entry in security log file:
> >
> > Dec  5 14:01:12 server /kernel: ipfw: 3000 Deny ICMP:8.0 62.211.157.214
> > 255.255.255.255 in via fxp0
> >
> > But if such computer give a flood attack, I think it will
> > create the same entry.
> >
> > How can I identify if an entry in security log file was creted
> > by simple ping or by a flood attack?
>
> By how many of those log entries you get. Each packet will generate a
> message.

I did a test:

I pinged for the machine and typed Ctrl-C.
The pind returned 9 packets sent/0 packets received.

In the security log of the target machine it shows just one line.

I have FreeBSD-4.3 seted the follow options:

- Kernel
   options IPFIREWALL
   options IPFIREWALL_VERBOSE
   options IPFIREWALL_VERBOSE_LIMIT=500
   options IPFIREWALL_DEFAULT_TO_ACCEPT

- /etc/rc.conf
    firewall_enable="YES"
    firewall_logging="YES"

- Ipfw rules
    The rules that deny some service are seted with deny log option.

Do I need to configure anything diferent or some option more?

Thank´s
Ronan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message