Re: Dropping SYN with FIN flag set

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: Tom Marshall <tommy@home.tig-grr.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Dropping SYN with FIN flag set
Date: 21 Oct 2003 15:47:24 -0400	[thread overview]
Message-ID: <1066765643.1557.79.camel@valhalla> (raw)
In-Reply-To: <20031021192921.GA12606@home.tig-grr.com>

On Tue, 2003-10-21 at 15:29, Tom Marshall wrote:
>
> Don't know if you care or not, but you could do this much more efficiently
> with perl. 

I *totally* agree. I teach the SANS perimeter track (T2) and teach this
method of log review. While I can teach people how to use grep in about
10 minutes, perl takes a wee bit longer. Using the same method I teach
in class gives me a better chance to debug/improve/etc.

>  If you don't want to do that, you can at least avoid the
> tempfiles by using the surrounding spaces in your patterns, eg.
> 
>   grep " FINSCAN " logfile > finscan.txt

I like using temp files as it aids in debugging. Also, I kind of have to
use the temp files as I '-v' out everything I have a pattern for and
want to be able to see what ever is left (i.e. all the traffic I don't
create a match pattern for).

Thanks!
C

next prev parent reply	other threads:[~2003-10-21 19:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-10-21 15:47 Dropping SYN with FIN flag set James Miller
2003-10-21 16:39 ` Chris Brenton
2003-10-21 17:51   ` Jeffrey Laramie
2003-10-21 18:56     ` Chris Brenton
2003-10-21 19:29       ` Tom Marshall
2003-10-21 19:47         ` Chris Brenton [this message]
2003-10-21 20:35       ` Jeffrey Laramie
2003-10-21 21:35         ` Chris Brenton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1066765643.1557.79.camel@valhalla \
    --to=cbrenton@chrisbrenton.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=tommy@home.tig-grr.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.