Date: Mon, 17 Aug 1998 19:10:20 +1000 (EST) From: Darren Reed <avalon@coombs.anu.edu.au> To: andrew@squiz.co.nz Cc: avalon@coombs.anu.edu.au, j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule Message-ID: <199808170911.CAA10619@hub.freebsd.org> In-Reply-To: <Pine.BSF.3.96.980817201412.344A-100000@aniwa.sky> from "Andrew McNaughton" at Aug 17, 98 09:02:23 pm
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Andrew McNaughton, sie said: > > On Mon, 17 Aug 1998, Darren Reed wrote: > > > In some mail from Andrew McNaughton, sie said: > > [...] > > > I've had this in mind for a while, but not yet had the time to write it. > > > Has anyone got a script set up to summarise this stuff as it comes in? > > > > The most recent versions of IP Filter `compress' log entries for "similar" > > packets. That is, if someone sent a flood of 50 ICMP packets (all the > > same) at you, with no other packets in between, it may become 1 log entry. > > It's a good feature. I had thought that this feature was provided by > syslogd rather than ipfw? What I described is in IP Filter, not ipfw nor syslogd (which has its own). > Etc etc. Doing it properly would take a bit of work in recognising the > signatures of various kinds of attacks, and deciding what details need to > be reported, but it need not all be done at once to be valuable. IDS type work. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808170911.CAA10619>