2010/5/30 Tomáš Vlček <tomasvlcek@xxxxxxxxx>: > Maybe psad (Port Scan Attack Detector) is that what are you looking > for. Check http://cipherdyne.org/psad/index.html. I gone through the link . It seems to be heavy for my embedded application . My embedded box is a router with two inerfaces - wan0 and lan0 . I should get information regarding various attacks tried on lan clients .I have some implementation in mind .(see below ) 1 Is there any tool fit my requirement or there any tool , i can do a little modification in code and use . 2 . Is my idea feasible to implement ? . Is it worth implementing , because it is run as part of softirq_rx kernel thread . Will it dampen performance ? 3 . Could i do this as part of connection tracking module . If , could you guide a little ? ********************************************************************************************************************************************************************* "install two hook functions on NF_IP_FORWARD hook with NF_IP_PRI_FIRST( first_hook_func ) and NF_IP_PRI_LAST(last_hook_func ) priority . iptables drop all DOS attack ,flood pkts in FORWARD chain with NF_IP_PRI_FILTER priority , A tuple ( destip , srcip , protocol , timestamp , in_count , out_count ) will be created for each NEW packet in first_hook_func for all packets from wan to lan . there should be different linked list tuple for differnt type of packets ( syn attck , icmp flood etc ) . And in_count is incremented . And in last_hook_func , i do hashing to find the correct tuple . if found , out_count is incremented . In last_hook_func itself , deletion of old entries ( if timestamp < jiffies -delta ) needs to be done . And in last_hook_func , proc entry is updated ,if in_count - out_count is greater than some particular threshold .That means , a lot of same kind of packet visited first_hook_func but dropped in Filter table . ******************************************************************************************************************************************************************** > > There is also a great book about this program (and 3 additional > programs as well) written by the author of these programs. This book > covers psad (analyser of iptables logs), fwsnort (translator of Snort > rules into iptables rules), fwknop (single packet authorization) and > ways how to visualize iptables logs. Details can be found at > http://www.nostarch.com/firewalls_mr.htm. > > I hope this helps... > > Tomáš Vlček > > On Sun, May 30, 2010 at 4:28 PM, ratheesh k <ratheesh.ksz@xxxxxxxxx> wrote: >> >> Hi , >> >> I have implemented firewall in my linux machine using >> iptables . It is able to prevent attacks and LOG just before dropping >> packets . Since i know a little about iptables , i could go thru >> /var/log/messages and find out information about attacks . Is there >> any application which will analyze logs and give a brief information >> to user about the attacks ? >> >> For example , suppose there was a syn flood attack ,the application >> should analyse the /var/log/messages or by some means should know >> about the attack and let the user know about that .If there is no >> application , could you give some hints on how to develop an >> application .Any comment is appreciated . >> >> Thanks, >> Ratheesh >> -- >> To unsubscribe from this list: send the line "unsubscribe netfilter" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx >> More majordomo info at http://vger.kernel.org/majordomo-info.html > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
