From owner-freebsd-security Sun Aug 16 23:45:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA27830 for freebsd-security-outgoing; Sun, 16 Aug 1998 23:45:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA27812 for ; Sun, 16 Aug 1998 23:45:48 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808170645.XAA27812@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA056806231; Mon, 17 Aug 1998 16:43:51 +1000 From: Darren Reed Subject: Re: ipfw log limits by connection vs. rule To: andrew@squiz.co.nz Date: Mon, 17 Aug 1998 16:43:51 +1000 (EST) Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG In-Reply-To: from "Andrew McNaughton" at Aug 11, 98 02:12:47 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Andrew McNaughton, sie said: [...] > I've had this in mind for a while, but not yet had the time to write it. > Has anyone got a script set up to summarise this stuff as it comes in? The most recent versions of IP Filter `compress' log entries for "similar" packets. That is, if someone sent a flood of 50 ICMP packets (all the same) at you, with no other packets in between, it may become 1 log entry. The deciding factors are: - is this packet the same as the one before (checksum with private seed for comparison basis) ? - how often the kernel log is "polled" (that is, using the above example, if I read the log after the first 10, it would have a count of 10, and then again after it was finished, it would have a count of 40 with the total being 50 for the two log entries). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message