From owner-freebsd-security  Thu Dec  6 10:51:53 2001
Delivered-To: freebsd-security@freebsd.org
Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62])
	by hub.freebsd.org (Postfix) with ESMTP id BD8C637B405
	for <security@freebsd.org>; Thu,  6 Dec 2001 10:51:50 -0800 (PST)
Received: from dialup-209.245.139.202.dial1.sanjose1.level3.net ([209.245.139.202] helo=blossom.cjclark.org)
	by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16C3cb-0006O7-00; Thu, 06 Dec 2001 10:51:50 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id fB6Ipko09595;
	Thu, 6 Dec 2001 10:51:46 -0800 (PST)
	(envelope-from cjc)
Date: Thu, 6 Dec 2001 10:51:46 -0800
From: "Crist J . Clark" <cristjc@earthlink.net>
To: Ronan Lucio <ronan@melim.com.br>
Cc: security@FreeBSD.ORG
Subject: Re: Securty logs
Message-ID: <20011206105146.A8975@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <02f601c17dab$85743670$2aa8a8c0@melim.com.br> <20011205135449.E3061@blossom.cjclark.org> <00c001c17e4e$f14cb6d0$2aa8a8c0@melim.com.br>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <00c001c17e4e$f14cb6d0$2aa8a8c0@melim.com.br>; from ronan@melim.com.br on Thu, Dec 06, 2001 at 10:10:06AM -0200
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Dec 06, 2001 at 10:10:06AM -0200, Ronan Lucio wrote:
> Hi Cris,
> 
> > > If I have icmp 8,0 denied for external computers, when
> > > someone pings, it create an entry in security log file:
> > >
> > > Dec  5 14:01:12 server /kernel: ipfw: 3000 Deny ICMP:8.0 62.211.157.214
> > > 255.255.255.255 in via fxp0
> > >
> > > But if such computer give a flood attack, I think it will
> > > create the same entry.
> > >
> > > How can I identify if an entry in security log file was creted
> > > by simple ping or by a flood attack?
> >
> > By how many of those log entries you get. Each packet will generate a
> > message.
> 
> I did a test:
> 
> I pinged for the machine and typed Ctrl-C.
> The pind returned 9 packets sent/0 packets received.
> 
> In the security log of the target machine it shows just one line.

But did it say something like,

  Dec  5 14:01:12 server /kernel: ipfw: 3000 Deny ICMP:8.0 62.211.157.214 255.255.255.255 in via fxp0
  Dec  5 14:01:21 server last message repeated 8 times

Each packet will generate a message, but syslogd(8) may use its
mechanism for supressing duplicate messages and print a "last message
repeated" line.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message