Date: Fri, 28 May 1999 14:03:38 +0400 From: ark@eltex.ru To: jkb@best.com Cc: ark@eltex.ru, dada@sbox.tu-graz.ac.at, security@FreeBSD.ORG Subject: Re: TCP connect data logger Message-ID: <199905281003.OAA13633@paranoid.eltex.spb.ru> In-Reply-To: <19990528025007.C15594@best.com> from ""Jan B. Koum " <jkb@best.com>"
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, Yep, something like this one. It does not handle heavy load, though, nor original log_in_vain does. Actually syslogd does not. So i don't see any good workarounds, maybe some rate analysers could help.. "Jan B. Koum " <jkb@best.com> said : > On Fri, May 28, 1999 at 01:42:56PM +0400, ark@eltex.ru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > > > nuqneH, > > > > I remember a patch was posted here to log all TCP packets that are not part > > of some known sequence. Really simple thing. > > Are you talking about http://www.best.com/~jkb/tcp_input.diff.txt > one? I need to make it better .. I don't think it handles fast scan rate on > 100base network well. > > -- Yan > > > > You should also note that net.inet.tcp.log_in_vain will ONLY log > > > packets which have SYN bit set. That sucks if you get port scanned by > > > something like nmap which can use FIN scan for example. (Or some other > > > stealth scanning technique). _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBN05p+aH/mIJW9LeBAQEo4AP/XKAny3R0pWXomOcV6f2yphQqFLGc5sUk ps4lx4eWwZknhfjqUkBJEDguXKcOtGjq6nMcm999KGsHHQgughp4z+tc44IYEJex a5xWqw6rqL2hiZRJyqFWkcFvsWWtagrdoZ2ekx/5c1iTlMuF17hUI/JsybNGER7W 3ZvD95LRZuE= =PwDa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905281003.OAA13633>