Hi,
The other day I managed to p*ss off some Romanian dudes on IRC (it's
easy -- just kick them out of the channel for not behaving) and got
attacked over the 'net. The Packet logger I was running --
{tcp,udp,icmp}logd -- wasn't able to keep up with the traffic
generating so many DNS lookups and sort of collapsed. I had to
iptable out the packet sources and kill the loggers manually before
the system became usable again.
That started me off on a search for a decent logger which would
automatically detect floods and not use up all available bandwidth in
trying to reverse resolve hosts in that situation. After much
searching I came across a program called iplog and tried it out.
After using it for some 3-4 days I feel that iplog is a godsend for
anyone who's interested in knowing what's happening on her system
connected to the 'net. Features (from the README) include:
iplog is a TCP/IP traffic logger. Currently, it is capable of logging
TCP, UDP and ICMP traffic. Adding support for other protocols should
be relatively easy.
iplog's capabilities include the ability to detect TCP port scans, TCP
null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags
(used by scanners to detect the operating system in use), TCP SYN
scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment
attacks.
iplog is able to run in promiscuous mode and monitor traffic to all
hosts on a network.
iplog uses libpcap to read data from the network and can be ported to
any system that supports pthreads and on which libpcap will function.
</quote>
In addition to the all-important scan and flood detection, Iplog has
the facility of ignoring traffic of specific types and to/from
specific ports (e.g. don't log DNS lookups and results). Iplog will
also stop reverse resolving when a flood is detected, so your
bandwidth remains uncluttered (at least by the DNS traffic).
I've got a working iplog.conf file, and would be willing to put up RH
6.2 RPM's with that file if enough people are interested. If you like
I can put up the source RPM too so you can compile it for other
RPM-based machines, as well as the source.tar.gz for other
architectures.
Regards,
-- Raju
--
Raju Mathur [EMAIL PROTECTED] http://kandalaya.org/
It is the mind that moves
================================================
To subscribe, send email to [EMAIL PROTECTED] with subscribe in subject header
To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header
Archives are available at http://www.mail-archive.com/ilugd%40wpaa.org
=================================================
