Re: Userland Hacker Task: divert socket listener...
Heh. I had something a little like that at one point -- it just acted as a pass-through, but also logged in the pcap format. I thought someone had done modifications to tcpdump to allow it to speak to divert sockets, don't know that it was ever actually committed. Might be in the PR's still. Was great for testing and understanding firewall rules. Robert N M Watson FreeBSD Core Team, TrustedBSD Project [EMAIL PROTECTED] NAI Labs, Safeport Network Services On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. Specifically I want to direct all unwanted trafic from my ipfw rules into the divert socket and have the program examine these packets and when configured thresholds were exceeded take actions like: Add a blackhole route for a period of time to the source IP to prevent any packets getting back to the attacker. Add a blocking ipfw rule for incoming trafic from the attackers IP# for some period of time. Add a divert ipfw rule for incoming trafic from the attackers IP# to capture all the tricks he is trying to do. Log the received packets in detail in pcap format files. Report the packets to Dshield.org etc. Any takers ? -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 [EMAIL PROTECTED] | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Userland Hacker Task: divert socket listener...
On Sat, Mar 16, 2002 at 09:57:46AM -0500, Robert Watson wrote: Heh. I had something a little like that at one point -- it just acted as a pass-through, but also logged in the pcap format. I thought someone had done modifications to tcpdump to allow it to speak to divert sockets, don't know that it was ever actually committed. Might be in the PR's still. Was great for testing and understanding firewall rules. ... and essential for debuging ipsec and tunnelled connections properly ;). Joe msg32924/pgp0.pgp Description: PGP signature
Re: Userland Hacker Task: divert socket listener...
On Sat, Mar 16, 2002 at 09:57:46AM -0500, Robert Watson wrote: Heh. I had something a little like that at one point -- it just acted as a pass-through, but also logged in the pcap format. I thought someone had done modifications to tcpdump to allow it to speak to divert sockets, don't know that it was ever actually committed. Might be in the PR's still. Was great for testing and understanding firewall rules. in OpenBSD pf, packets matching a 'log' rule are dup'd to the pflog dummy device, annotated with an additional header (interface, rule number, reason, etc.). you can then use pflogd, tcpdump (either in OpenBSD or from tcpdump.org), or snort listening on pflog0 to save the packets in pcap format, print them out, or analyze them for attacks, etc. -d. --- http://www.monkey.org/~dugsong/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Userland Hacker Task: divert socket listener...
On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. Specifically I want to direct all unwanted trafic from my ipfw rules into the divert socket and have the program examine these packets and when configured thresholds were exceeded take actions like: Add a blackhole route for a period of time to the source IP to prevent any packets getting back to the attacker. Add a blocking ipfw rule for incoming trafic from the attackers IP# for some period of time. Add a divert ipfw rule for incoming trafic from the attackers IP# to capture all the tricks he is trying to do. Log the received packets in detail in pcap format files. Report the packets to Dshield.org Reroute/rewrite all my outgoing port 25 mail to some magic smart host over an userland ssh connection. Dw To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Userland Hacker Task: divert socket listener...
nice idea.. procmail for packets. On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Userland Hacker Task: divert socket listener...
what about a program - like snort - but instead of listening on an interface, it would listen on your divert(4) socket. a setup like this could actually help snort (or an other program) be more responsive. i know that i have run into troubles with snort's flex-resp mechanism not stopping packets. with the divert(4) socket, i think you would be able to stop packets dead in their tracks. -aj- http://www.camulus.org/ On Tue, 12 Mar 2002, Julian Elischer wrote: nice idea.. procmail for packets. On Tue, 12 Mar 2002, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-security in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: Userland Hacker Task: divert socket listener...
On Tue, Mar 12, 2002 at 11:49:53PM +0100, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. There are a number of ports which may do something similar to what you require. I've never used them, though. One of them is portsentry, but I think there are others already in the collection. Kris msg32750/pgp0.pgp Description: PGP signature
Re: Userland Hacker Task: divert socket listener...
On Tue, Mar 12, 2002 at 11:49:53PM +0100, Poul-Henning Kamp wrote: Here is something I miss a lot: I would like a small program which can listen to a specified divert(4) socket and act on the incoming packets. Specifically I want to direct all unwanted trafic from my ipfw rules into the divert socket and have the program examine these packets and when configured thresholds were exceeded take actions like: Add a blackhole route for a period of time to the source IP to prevent any packets getting back to the attacker. Add a blocking ipfw rule for incoming trafic from the attackers IP# for some period of time. Add a divert ipfw rule for incoming trafic from the attackers IP# to capture all the tricks he is trying to do. Log the received packets in detail in pcap format files. Report the packets to Dshield.org etc. Any takers ? I wrote a framework for something like that a few months ago during a fit of boredom. Meet dpcd, the Divert Packet Capture Daemon. I don't even remember if I left the code in a working state. I'm sure I had writing pcap(3) files working at one point. Tarball of what I got attatched. -- Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] dpcd.tgz Description: application/tar-gz
