Date: Fri, 28 May 1999 02:31:39 -0700 From: "Jan B. Koum " <jkb@best.com> To: Martin Kammerhofer <dada@sbox.tu-graz.ac.at>, security@FreeBSD.ORG Subject: Re: TCP connect data logger Message-ID: <19990528023139.A15594@best.com> In-Reply-To: <Pine.BSF.3.96.990526135851.8495D-100000@localhost.kfunigraz.ac.at>; from Martin Kammerhofer on Wed, May 26, 1999 at 02:05:14PM %2B0200 References: <19990525012032.A25197@fw.garman.net> <Pine.BSF.3.96.990526135851.8495D-100000@localhost.kfunigraz.ac.at>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, May 26, 1999 at 02:05:14PM +0200, Martin Kammerhofer <dada@balu.kfunigraz.ac.at> wrote: > On Tue, 25 May 1999, Jason Garman wrote: > > > Last time I used this option (2.2.8-RELEASE), it only logged the packet > > headers to syslog. Something like this: > > > > Connection attempt to UDP x.x.x.x:port from y.y.y.y:port > > > > theres also a tunable net.inet.tcp.log_in_vain which does the same thing > > for TCP packets. > > > > Both udp.log_in_vain and tcp.log_in_vain have *no* rate limiting. > Enabling them can generate huge amounts of LOG_INFO messages during > port scans. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message You should also note that net.inet.tcp.log_in_vain will ONLY log packets which have SYN bit set. That sucks if you get port scanned by something like nmap which can use FIN scan for example. (Or some other stealth scanning technique). -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990528023139.A15594>