On Tue, Oct 13, 1998 at 08:44:31PM +1000, Robert Elz wrote:
> 
> On the subject, I'm not sure that ascii conversion of tcpdump output is
> worth the code it would consume.

  I disagree!  In a university environment, one's machines are
unfortunately not always the only ones on the subnet (we
control around 12 machines out of 200 on the subnet).  Thus,
any malevolent behavior on the subnet can cause problems, and
tcpdump (with ascii output) can be an invaluable tool for
debugging the break-in.

  For example, recently our subnet was flooded by someone who broke
into another group's machine, set up a bogus telnetd (and then
logged in via that), and was running smurf.  With tcpdump and a
custom hex2ascii filter I frantically wrote, I was able to
capture and read the cracker's telnet session, which allowed me
to identify the hole and monitor his actions (including all his
typos!) while I waited for someone with root access on that
machine to answer my E-mails.

  When I detect a crack-in-progress, I'd much rather spend time
working on identifying and closing the hole, and not coding up a
filter program I'll need to write in order to figure out how he
was getting in and what commands he's using.

  FYI, the machine in question was running ssh, and had
telnet/rsh/rlogin/rexec disabled.  The cracker got in by
trojan'ing the ssh executable on _another_ machine (one of the
university-wide servers, which allows telnet), and logging
user/password/machine tuples of every use of ssh from that
machine.  A legitimate user ssh'd from that server to the
machine on our subnet, and the cracker then used the
ssh-sniffed info to wreak his havoc.  So once again, even with
ssh, your machine is only as secure as the least-secure machine
that it allows connections from.  :(  Which is every machine on
the Internet, in most university environments.  :( :(

  Brian
-- 
"In the dark, the one-eyed man is blind."