On Wed, May 26, 1999 at 06:44:22PM -0700, Wolfgang Rupprecht wrote:
> While the source address/port can't be trusted, the destination
> port/address can be.  That does show interesting patterns.  I use IP
> filter to log all refused connections.  Running an interpreted filter
> just to get a log of outgoing reject packets its kind of a big hammer
> for what should be a simple task.
> 
> Until you start logging outgoing rejects you don't know what you are
> missing. ;-) There are lots of turkeys are out there trying regular
> probes of all sorts of off-the-wall ports.  If I had a penny for each
> scan on tcp port 123435, I'd have quite a pile of pennies.

Really ? I though port were 16 bits :)

Really, I can see some use for this: automatic blacklist, with an
IP filter automatically updated from a log analizer ... Well, the same could
probably be done with some IPF log rules.

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--