| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 31 Oct 2013 09:36:34 +0000
From: Fiedler Roman <Roman.Fiedler@....ac.at>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Extended martian logging with data dump: patch not working, why?
RFC on idea
Hello List,
I have tried to extend the martian logging functionale in kernel, but the patch does not work.
Rationale (SKIP IF NOT INTERESTED): martian packets do not inter iptables stack, hence cannot be full-packet-capture logged via e.g. ulog. The capure would be interesting to distinguish these 3 cases: a) normal noise, e.g. VM-hosts with virtual local networks that occasionally leak packets without natting those, b) unskilled attacker using forbidden source IP by chance/accident with not so problematic payloads c) skilled attacker, who is sending crafted payloads and knows which source-IP/dest/service/vuln he targets. Since source policy check also has security advantages, hence complete disabling is out of question. Otherwise moving source route checks would require to re-implement those rules in iptables to get same effect, a duplication I do want to make.
CONTINUE HERE FOR PROGRAMMING PROBLEM: I added log_martian type 2, where packet dump should also be produced. Why does setting echo 2 > log_martians not activate my new code? Does
./include/linux/inetdevice.h:#define IN_DEV_LOG_MARTIANS(in_dev) IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
only return 0 or 1?
Any help appreciated, I hope Outlook does not mixup the plaintext too much,
Roman
Download attachment "martian.patch" of type "application/octet-stream" (3732 bytes)
Powered by blists - more mailing lists