lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2ECE9D9EEF1F524185270138AE2326593BF8BB7D@S0MSMAIL112.arc.local>
Date:	Thu, 31 Oct 2013 09:36:34 +0000
From:	Fiedler Roman <Roman.Fiedler@....ac.at>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Extended martian logging with data dump: patch not working, why?
 RFC on idea

Hello List,

I have tried to extend the martian logging functionale in kernel, but the patch does not work.

Rationale (SKIP IF NOT INTERESTED): martian packets do not inter iptables stack, hence cannot be full-packet-capture logged via e.g. ulog. The capure would be interesting to distinguish these 3 cases: a) normal noise, e.g. VM-hosts with virtual local networks that occasionally leak packets without natting those, b) unskilled attacker using forbidden source IP by chance/accident with not so problematic payloads c) skilled attacker, who is sending crafted payloads and knows which source-IP/dest/service/vuln he targets. Since source policy check also has security advantages, hence complete disabling is out of question. Otherwise moving source route checks would require to re-implement those rules in iptables to get same effect, a duplication I do want to make.

CONTINUE HERE FOR PROGRAMMING PROBLEM: I added log_martian type 2, where packet dump should also be produced. Why does setting echo 2 > log_martians not activate my new code? Does

./include/linux/inetdevice.h:#define IN_DEV_LOG_MARTIANS(in_dev)        IN_DEV_ORCONF((in_dev), LOG_MARTIANS)

only return 0 or 1? 

Any help appreciated, I hope Outlook does not mixup the plaintext too much,

Roman


Download attachment "martian.patch" of type "application/octet-stream" (3732 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ