1 TCPWrappers is a fine, fine program, and is suited for many purposes. 2However, a problem with it is it only gets what inetd chooses to pass its 3way, this can be a problem in some cases, as you want to know if you are 4being poked. 5 6 TAMU produced some time ago a package of network loggers. The problem is 7they only work on Sun workstations, using the NIT or DLPI interfaces (SunOS 8and Solaris2 respectively), which limits their use. I decided to write a 9program that perform a similar task, but using the excellent libpcap packet 10capture library that TCPDUMP uses. 11 12 You have in your posession the result. I made the output format both easy 13to read, and easy to process so it can be used very easily by scripts. There 14are 5 fields, each of which is seperated by the '|' character. 15 16 This first field is the date the connection arrived. The second field is 17either the source ip address or the hostname that originated the connection 18(depending on if you used the -r argument or not). The third field is the 19source port. The fourth field is either the destination ip address or the 20destination hostname (again, depending on if you used -r or not). The final 21field is the destination port number. 22 23 You can easily specify alternate filters, so this program could be easily 24used to detect any sort of connection from 'unusual' hostnames. The 25filtering syntax is exactly the same as that in the tcpdump package - if you 26know how to do filters with tcpdump, you know how to do filters with clog! 27 28 Another possible use is detecting the so-called "stealth scanners". How a 29stealth scanner works is it sends a SYN packet (which is what clog logs) and 30if something is listening on that port, the server sends a SYN/ACK packet. 31If nothing is listening on the port, the server sends a RST/ACK packet. 32In the normal course of connection opening, after you get the SYN/ACK 33packet, you would return a ACK packet, thus completing the 3 way handshake; 34stealth scanners dont do this, they only do 2/3 steps, once they get a 35SYN/ACK or a RST/ACK, they know if something is listening on the port or 36not. 37 38 Finally, there is the 'FTP Bounce' attack described by hobbit@avian.org 39in his whitepaper on the subject. I have included his whitepaper as 40ftp-bounce.txt in this distribution, I suggest you read it - it is most 41interesting, and raised some interesting points. 42 43 Installing clog on most platforms is pretty simple, assuming you have the 44libpcap library previously installed. The simple makefile should handle most 45cases effortlessly. If you are installing on a Solaris box, use make 46solaris. If you are installing on a Linux system, use make linux. Anywhere 47else, make by itself should work (using the generic rule). No matter what 48platform you use, you *NEED* a ANSI compiler, this will not compile under 49K&R style compilers. I suggest the GNU CC compiler, since it is readily 50available, and really works nicely (well, I use linux - not like I have much 51of a choice in the matter :-) ). 52 53 If you do not have libpcap yet, get it. The general release can be found 54at ftp://ee.lbl.gov/libpcap.tar.Z. If you have Linux, however, the general 55release will not compile. For Linux, there are patched libpcap's in some of 56the TCPDUMP source distributions (tcpdump 3.0 and above), just retrieve one 57of these. I have not found a 1.3.* patched version of libpcap though, 1.3.x 58seems to break the patched libpcap I do have, so if you run a development 59kernel, you are out of luck for the time being. 60 61Brian Mitchell <brian@saturn.net> 62http://www.saturn.net/~brian 63 64 65