1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
ippl Debian package
-------------------
=====================================
= Upstream inactive, package buggy
=====================================
Please note that the ippl package is upstreamly unmaintained since 2001,
and that there are some rather nasty bugs.
The bugs come from fundamental errors in the design and implementation
of ippl.
An incomplete list of the bugs includes:
- random packets don't get logged sometimes
- stops logging at all after some weeks
- ipv6 never got implemented
- documentation is out of sync
- doesn't handle multiple SIGHUPs in fast consecutive order good,
stops logging
Trying to fix these bugs is not easy. Please do not expect the Debian
maintainer to do this, but patches are appreciated.
Please consider using a fully-grown intrusion detection system (like
snort) instead of ippl.
A possible idea would be re-writing ippl to use iptables' ULOG target
to get hold of the packets, while keeping the log format and the
configuration file format. Example code about how to interface with
the ULOG target is contained in the ulog-acctd package. However,
converting to ULOG means writing a Linux-only program.
-- Gergely Risko, Marc Haber
=====================================
= Upstream Mailing Lists
=====================================
Thanks to VIA - Centrale Réseaux, there are two mailing lists for ippl:
- ippl-announce: News about ippl are posted here.
Archive: http://www.via.ecp.fr/via/ml/ippl-announce/index.html
- ippl: this is the discussion list for development topics. This is the
one you should use to contact upstream.
Archive: http://www.via.ecp.fr/via/ml/ippl/index.html
If you want to subscribe to one of these mailing lists, send an email
to ecartis@via.ecp.fr containing subscribe list in the body, where
list is the name of the list you wish to subscribe to.
Upstream's web site is pointing towards listar@via.ecp.fr. This is
obsolete information.
=====================================
= Note about the log files:
=====================================
The log files which will be rotated weekly are the log files declared
in /etc/logrotate.d/ippl.
When the package is purged, the directory /var/log/ippl will be
removed. If you have used log files in other directories, they will not
be deleted. This is why I strongly recommend that you put all the log
files in /var/log/ippl.
-- Gergely Risko
=====================================
= Note about the configuration file:
=====================================
The syntax of the rules has changed between version 1.2 and version
1.4. You may have to rewrite some of your rules.
1.4.14-3's new feature: /etc/ippl.conf.d.
(idea from: Marc Haber <mh+debian-bugs@zugschlus.de>)
If your package put something in /etc/ippl.conf.d directory, this
will automatically cat'd to the ippl.conf when ippl starts.
If you think that ippl doesn't work like you configured it in
/etc/ippl.conf, please see /etc/ippl.conf.d directory. If this is
not empty, this can be the reason, rm it. :)
If you don't want the crude shell script, which do the cat, etc. you
can rm -rf /etc/ippl.conf.d.
* I've also implemented the user requested
(Matus \"fantomas\" Uhlar" <uhlar@fantomas.sk>)
noportresolve/portresolve feature. Work EXACTLY as noresolve, but
passing icmp to it in anyways is legal, but not useful.
-- Gergely Risko
|
