Date: Sat, 16 Mar 2002 09:57:46 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Poul-Henning Kamp <phk@freebsd.org> Cc: hackers@freebsd.org, security@freebsd.org Subject: Re: Userland Hacker Task: divert socket listener... Message-ID: <Pine.NEB.3.96L.1020316095654.13304S-100000@fledge.watson.org> In-Reply-To: <35126.1015973393@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Heh. I had something a little like that at one point -- it just acted as a pass-through, but also logged in the pcap format. I thought someone had done modifications to tcpdump to allow it to speak to divert sockets, don't know that it was ever actually committed. Might be in the PR's still. Was great for testing and understanding firewall rules. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: > > Here is something I miss a lot: > > I would like a small program which can listen to a specified divert(4) > socket and act on the incoming packets. > > Specifically I want to direct all unwanted trafic from my ipfw rules > into the divert socket and have the program examine these packets > and when configured thresholds were exceeded take actions like: > > Add a blackhole route for a period of time to the source > IP to prevent any packets getting back to the attacker. > > Add a blocking ipfw rule for incoming trafic from the > attackers IP# for some period of time. > > Add a divert ipfw rule for incoming trafic from the > attackers IP# to capture all the tricks he is trying to > do. > > Log the received packets in detail in pcap format files. > > Report the packets to Dshield.org > > etc. > > Any takers ? > > -- > Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 > phk@FreeBSD.ORG | TCP/IP since RFC 956 > FreeBSD committer | BSD since 4.3-tahoe > Never attribute to malice what can adequately be explained by incompetence. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020316095654.13304S-100000>