Le jeu 22/04/2004 à 15:27, unor a écrit : > Will something like: > $IPTABLES -A INPUT -p tcp --tcp-flags RST -m state > --state NEW -j LOG > Log "RST injection" packets potentially explointing > that mentioned in US-CERT TA04-111A? If not, any > ideas? Nope. First, the rule should be : $IPTABLES -A INPUT -p tcp --tcp-flags RST RST \ -m state --state NEW -j LOG So you won't get this error : iptables v1.2.9-20040302: --tcp-flags requires two args. Try `iptables -h' or 'iptables --help' for more information. ;@ To get serious... This rule will show you RST that don't have the correct tuple (src IP, src port, dst IP, dst port) for targeted connection. If RST has correct tuple, I don't know how it will get handled by conntrack, since it does not track TCP window for stock kernel. Maybe someone could answer here. Will RST get caught and conntrack entry dropped ? I'm too lazy to check code ;) If you patch your kernel with TCP windows tracking, out of windows RST should get INVALID state (I may be wrong), so you can match them and LOG. BTW, you won't be able to spot successful ones... -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
