From owner-freebsd-security Thu Dec 6 4: 8:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from salseiros.melim.com.br (salseiros.melim.com.br [200.215.110.23]) by hub.freebsd.org (Postfix) with ESMTP id 7E54737B417; Thu, 6 Dec 2001 04:08:26 -0800 (PST) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by salseiros.melim.com.br (Postfix) with SMTP id 0A8F0BAE4; Thu, 6 Dec 2001 10:08:19 -0200 (BRST) Message-ID: <00c001c17e4e$f14cb6d0$2aa8a8c0@melim.com.br> From: "Ronan Lucio" To: "Crist J . Clark" Cc: References: <02f601c17dab$85743670$2aa8a8c0@melim.com.br> <20011205135449.E3061@blossom.cjclark.org> Subject: Re: Securty logs Date: Thu, 6 Dec 2001 10:10:06 -0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Cris, > > If I have icmp 8,0 denied for external computers, when > > someone pings, it create an entry in security log file: > > > > Dec 5 14:01:12 server /kernel: ipfw: 3000 Deny ICMP:8.0 62.211.157.214 > > 255.255.255.255 in via fxp0 > > > > But if such computer give a flood attack, I think it will > > create the same entry. > > > > How can I identify if an entry in security log file was creted > > by simple ping or by a flood attack? > > By how many of those log entries you get. Each packet will generate a > message. I did a test: I pinged for the machine and typed Ctrl-C. The pind returned 9 packets sent/0 packets received. In the security log of the target machine it shows just one line. I have FreeBSD-4.3 seted the follow options: - Kernel options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=500 options IPFIREWALL_DEFAULT_TO_ACCEPT - /etc/rc.conf firewall_enable="YES" firewall_logging="YES" - Ipfw rules The rules that deny some service are seted with deny log option. Do I need to configure anything diferent or some option more? Thank´s Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message