From owner-freebsd-security Fri May 28 2:32:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 5ED8D15094 for ; Fri, 28 May 1999 02:32:20 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id CAA16448; Fri, 28 May 1999 02:31:39 -0700 (PDT) Message-ID: <19990528023139.A15594@best.com> Date: Fri, 28 May 1999 02:31:39 -0700 From: "Jan B. Koum " To: Martin Kammerhofer , security@FreeBSD.ORG Subject: Re: TCP connect data logger References: <19990525012032.A25197@fw.garman.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Martin Kammerhofer on Wed, May 26, 1999 at 02:05:14PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer wrote: > On Tue, 25 May 1999, Jason Garman wrote: > > > Last time I used this option (2.2.8-RELEASE), it only logged the packet > > headers to syslog. Something like this: > > > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port > > > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing > > for TCP packets. > > > > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > Enabling them can generate huge amounts of LOG_INFO messages during > port scans. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message You should also note that net.inet.tcp.log_in_vain will ONLY log packets which have SYN bit set. That sucks if you get port scanned by something like nmap which can use FIN scan for example. (Or some other stealth scanning technique). -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message