From owner-freebsd-hackers  Sat Mar 16  6:57:58 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1648737B404; Sat, 16 Mar 2002 06:57:49 -0800 (PST)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.6/8.11.6) with SMTP id g2GEvlF29690;
	Sat, 16 Mar 2002 09:57:47 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sat, 16 Mar 2002 09:57:46 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Poul-Henning Kamp <phk@freebsd.org>
Cc: hackers@freebsd.org, security@freebsd.org
Subject: Re: Userland Hacker Task: divert socket listener...
In-Reply-To: <35126.1015973393@critter.freebsd.dk>
Message-ID: <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Heh. I had something a little like that at one point -- it just acted as a
pass-through, but also logged in the pcap format.  I thought someone had
done modifications to tcpdump to allow it to speak to divert sockets,
don't know that it was ever actually committed.  Might be in the PR's
still.  Was great for testing and understanding firewall rules.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services

On Tue, 12 Mar 2002, Poul-Henning Kamp wrote:

> 
> Here is something I miss a lot:
> 
> I would like a small program which can listen to a specified divert(4)
> socket and act on the incoming packets.
> 
> Specifically I want to direct all unwanted trafic from my ipfw rules
> into the divert socket and have the program examine these packets
> and when configured thresholds were exceeded take actions like:
> 
> 	Add a blackhole route for a period of time to the source
> 	IP to prevent any packets getting back to the attacker.
> 
> 	Add a blocking ipfw rule for incoming trafic from the
> 	attackers IP# for some period of time.
> 
> 	Add a divert ipfw rule for incoming trafic from the
> 	attackers IP# to capture all the tricks he is trying to
> 	do.
> 
> 	Log the received packets in detail in pcap format files.
> 
> 	Report the packets to Dshield.org
> 
> etc.
> 
> Any takers ?
> 
> -- 
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message