Bugtraq mailing list archives
Packet filter logging: MAC & TCP flags
From: hektor () RZ RWTH-AACHEN DE (Jens Hektor)
Date: Tue, 15 Feb 2000 10:03:48 +0100
Hi, as a response to Dragos Ruiu's posting the following might be of interest to some of you. In the need for more detailed information recorded by the linux kernel v2.2 packet filtering facility I developed a patch that shows MAC adress and TCP flags for every packet that is marked for logging in the chain-rules. Maybe this is a more convenient solution for those who use linux boxes as packet filters. This patch is essentially a backport from the linux kernel v2.3 ipfilter package. It has been sent to R.Russel for approval and maybe it finds the way into stock 2.2. Bye, Jens Hektor -------------- cut here ----------------- *** linux-2.2.14/net/ipv4/ip_fw.c.orig Wed Feb 2 08:05:48 2000 --- linux-2.2.14/net/ipv4/ip_fw.c Wed Feb 2 08:29:09 2000 *************** *** 411,417 **** __u16 src_port, __u16 dst_port, unsigned int count, ! int syn) { __u32 *opt = (__u32 *) (ip + 1); int opti; --- 411,418 ---- __u16 src_port, __u16 dst_port, unsigned int count, ! int syn, ! unsigned char *machdr) { __u32 *opt = (__u32 *) (ip + 1); int opti; *************** *** 443,449 **** for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++) printk(" O=0x%8.8X", *opt++); ! printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count); } /* function for checking chain labels for user space. */ --- 444,476 ---- for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4); opti++) printk(" O=0x%8.8X", *opt++); ! printk(" %s(#%d)", syn ? "SYN " : /* "PENANCE" */ "", count); ! ! /* This code added to get a more detailed information about ! * portscanners */ ! if (ip->protocol == IPPROTO_TCP ! && !(ip->frag_off & __constant_htons(IP_OFFSET))) { ! struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl); ! printk(" FLAGS:%c%c%c%c%c%c", ! tcp->urg ? 'U' : '-', ! tcp->ack ? 'A' : '-', ! tcp->psh ? 'P' : '-', ! tcp->rst ? 'R' : '-', ! tcp->syn ? 'S' : '-', ! tcp->fin ? 'F' : '-'); ! } ! ! if (machdr) { ! /* We don't need to be efficient. */ ! struct device *dev = dev_get(ifname); ! ! if (dev) { ! unsigned int i; ! for (i = 0; i < dev->hard_header_len; i++) ! printk("%c%02x", i ? ':' : ' ', machdr[i]); ! } ! } ! printk("\n"); } /* function for checking chain labels for user space. */ *************** *** 541,552 **** unsigned int slot, __u16 src_port, __u16 dst_port, unsigned int count, ! int tcpsyn) { f->counters[slot].bcnt+=ntohs(ip->tot_len); f->counters[slot].pcnt++; if (f->ipfw.fw_flg & IP_FW_F_PRN) { ! dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn); } ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor; --- 568,581 ---- unsigned int slot, __u16 src_port, __u16 dst_port, unsigned int count, ! int tcpsyn, ! int validmac) { f->counters[slot].bcnt+=ntohs(ip->tot_len); f->counters[slot].pcnt++; if (f->ipfw.fw_flg & IP_FW_F_PRN) { ! dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn, ! validmac ? skb->mac.raw : NULL); } ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor; *************** *** 599,605 **** struct ip_chain *chain, struct sk_buff *skb, unsigned int slot, ! int testing) { struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl); struct udphdr *udp=(struct udphdr *)((__u32 *)ip+ip->ihl); --- 628,635 ---- struct ip_chain *chain, struct sk_buff *skb, unsigned int slot, ! int testing, ! int validmac) { struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl); struct udphdr *udp=(struct udphdr *)((__u32 *)ip+ip->ihl); *************** *** 632,638 **** if (offset == 1 && ip->protocol == IPPROTO_TCP) { if (!testing && net_ratelimit()) { printk("Suspect TCP fragment.\n"); ! dump_packet(ip,rif,NULL,NULL,0,0,0,0); } return FW_BLOCK; } --- 662,669 ---- if (offset == 1 && ip->protocol == IPPROTO_TCP) { if (!testing && net_ratelimit()) { printk("Suspect TCP fragment.\n"); ! dump_packet(ip,rif,NULL,NULL,0,0,0,0, ! validmac ? skb->mac.raw : NULL); } return FW_BLOCK; } *************** *** 667,673 **** if (offset && (ntohs(ip->frag_off) & IP_MF)) { if (!testing && net_ratelimit()) { printk("Suspect short first fragment.\n"); ! dump_packet(ip,rif,NULL,NULL,0,0,0,0); } return FW_BLOCK; } --- 698,705 ---- if (offset && (ntohs(ip->frag_off) & IP_MF)) { if (!testing && net_ratelimit()) { printk("Suspect short first fragment.\n"); ! dump_packet(ip,rif,NULL,NULL,0,0,0,0, ! validmac ? skb->mac.raw : NULL); } return FW_BLOCK; } *************** *** 745,751 **** && !ip_fw_domatch(f, ip, rif, chain->label, skb, slot, src_port, dst_port, ! count, tcpsyn)) { ret = FW_BLOCK; goto out; } --- 777,784 ---- && !ip_fw_domatch(f, ip, rif, chain->label, skb, slot, src_port, dst_port, ! count, tcpsyn, ! validmac)) { ret = FW_BLOCK; goto out; } *************** *** 1357,1363 **** else { ret = ip_fw_check(ip, new->fwt_packet.fwp_vianame, NULL, chain, ! NULL, SLOT_NUMBER(), 1); switch (ret) { case FW_ACCEPT: ret = 0; break; --- 1390,1396 ---- else { ret = ip_fw_check(ip, new->fwt_packet.fwp_vianame, NULL, chain, ! NULL, SLOT_NUMBER(), 1, 0); switch (ret) { case FW_ACCEPT: ret = 0; break; *************** *** 1698,1704 **** void *phdr, void *arg, struct sk_buff **pskb) { return ip_fw_check(phdr, dev->name, ! arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0); } int ipfw_output_check(struct firewall_ops *this, int pf, struct device *dev, --- 1731,1738 ---- void *phdr, void *arg, struct sk_buff **pskb) { return ip_fw_check(phdr, dev->name, ! arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0, ! 1); } int ipfw_output_check(struct firewall_ops *this, int pf, struct device *dev, *************** *** 1709,1722 **** || (*pskb)->len < sizeof(struct iphdr)) return FW_ACCEPT; return ip_fw_check(phdr, dev->name, ! arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0); } int ipfw_forward_check(struct firewall_ops *this, int pf, struct device *dev, void *phdr, void *arg, struct sk_buff **pskb) { return ip_fw_check(phdr, dev->name, ! arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0); } struct firewall_ops ipfw_ops= --- 1743,1758 ---- || (*pskb)->len < sizeof(struct iphdr)) return FW_ACCEPT; return ip_fw_check(phdr, dev->name, ! arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0, ! 0); } int ipfw_forward_check(struct firewall_ops *this, int pf, struct device *dev, void *phdr, void *arg, struct sk_buff **pskb) { return ip_fw_check(phdr, dev->name, ! arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0, ! 0); } struct firewall_ops ipfw_ops= -------------- cut here ----------------- -- Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen Computing Center Technical University Aachen, firewalls/network security mailto:hektor () RZ RWTH-Aachen DE, Tel.: nur TH 31376, Raum: 2.35 Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889
Current thread:
- Re: perl-cgi hole in UltimateBB by Infopop Corp., (continued)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Bennett Todd (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Dennis Taylor (Feb 18)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Kevin Hillabolt (Feb 14)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: AIX SNMP Defaults Michal Zalewski (Feb 17)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 21)
- riched32.dll buffer overflow Pauli Ojanpera (Feb 21)
- Re: AIX SNMP Defaults Troy Bollinger (Feb 17)
- Security Bulletins Digest Aleph One (Feb 17)
- AIX SNMP Defaults harikiri (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Jordan Ritter (Feb 15)
- Packet filter logging: MAC & TCP flags Jens Hektor (Feb 15)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Irwin Lazar (Feb 17)
- Re: perl-cgi hole in UltimateBB by Infopop Corp. Randal L. Schwartz (Feb 17)