Date: Mon, 17 Aug 1998 16:43:51 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: andrew@squiz.co.nz Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule Message-ID: <199808170645.XAA27812@hub.freebsd.org> In-Reply-To: <Pine.BSF.3.96.980811140438.338N-100000@aniwa.sky> from "Andrew McNaughton" at Aug 11, 98 02:12:47 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Andrew McNaughton, sie said: [...] > I've had this in mind for a while, but not yet had the time to write it. > Has anyone got a script set up to summarise this stuff as it comes in? The most recent versions of IP Filter `compress' log entries for "similar" packets. That is, if someone sent a flood of 50 ICMP packets (all the same) at you, with no other packets in between, it may become 1 log entry. The deciding factors are: - is this packet the same as the one before (checksum with private seed for comparison basis) ? - how often the kernel log is "polled" (that is, using the above example, if I read the log after the first 10, it would have a count of 10, and then again after it was finished, it would have a count of 40 with the total being 50 for the two log entries). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808170645.XAA27812>