Date: Mon, 17 Aug 1998 21:02:23 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule Message-ID: <Pine.BSF.3.96.980817201412.344A-100000@aniwa.sky> In-Reply-To: <199808170644.SAA04433@dawn.newsroom.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Aug 1998, Darren Reed wrote: > In some mail from Andrew McNaughton, sie said: > [...] > > I've had this in mind for a while, but not yet had the time to write it. > > Has anyone got a script set up to summarise this stuff as it comes in? > > The most recent versions of IP Filter `compress' log entries for "similar" > packets. That is, if someone sent a flood of 50 ICMP packets (all the > same) at you, with no other packets in between, it may become 1 log entry. It's a good feature. I had thought that this feature was provided by syslogd rather than ipfw? Anyway, what I had in mind was more along the lines of reporting: Starting at 12:34 pm NZST, there was a probable port scan from aaa.bbb.ccc.com [123.4.56.7] on ports 21,23,25,79-80,8080. There is an unsecured wingate running on that machine. Starting at 13:45 pm NZST a smurf attack appears to have been launched using your network. 1024 packets were recieved at 1.2.3.255, and the return address was 66.1.66.1 At 14:50 pm NZST, someone connected to the IMAP port from evil.org.mn [12.34.56.78], which is not in a C class network your users normally connect from. This address has been responsible for suspect activity before. Starting at 14:20 am NZST there was an FTP session from ppp-34.foo.isp.nz [12.12.12.6]. This address is in a C class network from which your users regularly connect. Etc etc. Doing it properly would take a bit of work in recognising the signatures of various kinds of attacks, and deciding what details need to be reported, but it need not all be done at once to be valuable. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980817201412.344A-100000>