[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re: bpf, ipfilter, t/tcp, and hell.
From: Darren Reed <darrenr () reed ! wattle ! id ! au>
Date: 2000-08-26 14:56:53
[Download RAW message or body]
In some email I received from Erik Fichtner, sie wrote:
> Uhm. Hopefully, someone on here is a bpf rule writing wizard. I'm not
> entirely sure that what I want to do can actually be done, but, since
> ipfilter is soon to support bpf rules as filters, I want to be able to
> distinguish a t/tcp connection attempt from a syn-fin scan attempt.
>
> This is proving maddening.. tcp[13]=3 gives us the presence of the syn
> and fin bits. tcp[12]>20 gives us a hint that we have options tacked on,
> but I don't see any good way to actually find the cc and ccnew options
> which don't appear to have to be in any specific location.
>
> any ideas?
Hmm. Seems like I really should add something to allow filtering on
TCP options then. You're lost with BPF, unfortunately.
Darren
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic