1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
IpLogger Package
Mike Edulla
medulla@infosoc.com
============================
These two programs let you log tcp and icmp connections in syslog, along
with the hostname. They are just something I whipped up quickly, and could
be improved alot - especially the icmp logging program.
tcplog
This program logs all tcp connections to your host. It also makes a
attempt at detecting the ftpbounce attack described by hobbit at avian.org
(read ftpbounce.txt included in this archive for a description of the
attack). The way we detect it is if a privledged (0-1023) connect comes on
source port 20, we log it as a ftp bounce attack. Connections on source port
20 to non privledged ports are not logged at all - we assume those are ftp
transfers, and ignore them. I would like to do the same with DCC
connections, if anyone knows how - email me.
icmplog
This program logs most icmp packets, or atleast the interesting ones (we
dont, for instance, log echo_replies). The ICMP logging could provide alot
more information than it does, and I might add more information in the
future, but for now, it serves well enough.
Use -d options to keep icmplog from logging ICMP_DEST_UNREACH. Uses
too much space up in the logs. (added as a special request for someone on the
debian team from openprojects.net i forget who... but oh well) -- Shawn
|
