From owner-freebsd-security  Mon Aug 17 02:05:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA09996
          for freebsd-security-outgoing; Mon, 17 Aug 1998 02:05:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA09972
          for <freebsd-security@FreeBSD.ORG>; Mon, 17 Aug 1998 02:05:22 -0700 (PDT)
          (envelope-from andrew@squiz.co.nz)
Received: from localhost (andrew@localhost)
	by aniwa.sky (8.8.7/8.8.7) with SMTP id VAA01131;
	Mon, 17 Aug 1998 21:02:24 +1200 (NZST)
	(envelope-from andrew@squiz.co.nz)
Date: Mon, 17 Aug 1998 21:02:23 +1200 (NZST)
From: Andrew McNaughton <andrew@squiz.co.nz>
X-Sender: andrew@aniwa.sky
Reply-To: andrew@squiz.co.nz
To: Darren Reed <avalon@coombs.anu.edu.au>
cc: j@lumiere.net, freebsd-security@FreeBSD.ORG
Subject: Re: ipfw log limits by connection vs. rule
In-Reply-To: <199808170644.SAA04433@dawn.newsroom.co.nz>
Message-ID: <Pine.BSF.3.96.980817201412.344A-100000@aniwa.sky>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 17 Aug 1998, Darren Reed wrote:

> In some mail from Andrew McNaughton, sie said:
> [...]
> > I've had this in mind for a while, but not yet had the time to write it.
> > Has anyone got a script set up to summarise this stuff as it comes in?
> 
> The most recent versions of IP Filter `compress' log entries for "similar"
> packets.  That is, if someone sent a flood of 50 ICMP packets (all the
> same) at you, with no other packets in between, it may become 1 log entry.

It's a good feature.  I had thought  that this feature was provided by
syslogd rather than ipfw?

Anyway, what I had in mind was more along the lines of reporting:

Starting at 12:34 pm NZST, there was a probable port scan from
aaa.bbb.ccc.com [123.4.56.7] on ports 21,23,25,79-80,8080.  There is an
unsecured wingate running on that machine.

Starting at 13:45 pm NZST a smurf attack appears to have been launched
using your network.  1024 packets were recieved at 1.2.3.255, and the
return address was 66.1.66.1

At 14:50 pm NZST, someone connected to the IMAP port from evil.org.mn
[12.34.56.78], which is not in a C class network your users normally
connect from.  This address has been responsible for suspect activity
before.

Starting at  14:20 am NZST there was an FTP session from ppp-34.foo.isp.nz
[12.12.12.6].  This address is in a C class network from which your users
regularly connect.


Etc etc.  Doing it properly would take a bit of work in recognising the
signatures of various kinds of attacks, and deciding what details need to
be reported, but it need not all be done at once to be valuable.

Andrew


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message