From owner-freebsd-security@FreeBSD.ORG  Wed Mar  3 07:21:07 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E266216A4CF
	for <freebsd-security@freebsd.org>;
	Wed,  3 Mar 2004 07:21:07 -0800 (PST)
Received: from mail.butovo-online.ru (mail.b-o.ru [212.5.78.254])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7638E43D1D
	for <freebsd-security@freebsd.org>;
	Wed,  3 Mar 2004 07:21:07 -0800 (PST)	(envelope-from resident@b-o.ru)
Received: from [192.168.92.185] (helo=192.168.92.185)
	by mail.butovo-online.ru with esmtp (Exim 4.24)
	id 1AyYLd-000I8c-Em
	for freebsd-security@freebsd.org; Wed, 03 Mar 2004 18:31:49 +0300
Date: Wed, 3 Mar 2004 18:23:01 +0300
From: Andrew Riabtsev <resident@b-o.ru>
X-Mailer: The Bat! (v1.62i) Business
X-Priority: 3 (Normal)
Message-ID: <17922425976.20040303182301@b-o.ru>
To: FreeBSD Security List <freebsd-security@freebsd.org>
In-Reply-To: <20040303094647.J93367@zoraida.natserv.net>
References: <20040303094647.J93367@zoraida.natserv.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Subject: Re: How to monitoring activity on a card?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Andrew Riabtsev <resident@b-o.ru>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2004 15:21:08 -0000

Привет Francisco,

Wednesday, March 3, 2004, 12:51:15 PM, you wrote:

FR> My setup 4.9 stable with IPFW. Machine acts as gateway for two machines.

FR> What are my options on monitoring activity on my external card?

FR> This morning I noticed my DSL modem activity light is blinking non-stop.
FR> Looking at /var/log/ don't see anything suspicious.

FR> I feel tempted to add "log" to all my ipfw pass rules, but wonder if there
FR> isn't a better way.

FR> I am mostly concerned there is either some kind of attack going on or
FR> somehow the machine was hacked and it's running something it's not
FR> supposed to.

You also may try sniffit - shows current tcp/udp streams in curses
windows. Easy to undestend from where to start searching.


-- 
С наилучшими пожеланиями,
 Andrew                            mailto:resident@b-o.ru