   TCPWrappers is a fine, fine program, and is suited for many purposes.
However, a problem with it is it only gets what inetd chooses to pass its
way, this can be a problem in some cases, as you want to know if you are
being poked.

   TAMU produced some time ago a package of network loggers. The problem is
they only work on Sun workstations, using the NIT or DLPI interfaces (SunOS
and Solaris2 respectively), which limits their use. I decided to write a
program that perform a similar task, but using the excellent libpcap packet
capture library that TCPDUMP uses.

   You have in your posession the result. I made the output format both easy
to read, and easy to process so it can be used very easily by scripts. There
are 5 fields, each of which is seperated by the '|' character.

   This first field is the date the connection arrived. The second field is
either the source ip address or the hostname that originated the connection
(depending on if you used the -r argument or not). The third field is the
source port. The fourth field is either the destination ip address or the
destination hostname (again, depending on if you used -r or not). The final
field is the destination port number.

   You can easily specify alternate filters, so this program could be easily
used to detect any sort of connection from 'unusual' hostnames. The
filtering syntax is exactly the same as that in the tcpdump package - if you
know how to do filters with tcpdump, you know how to do filters with clog!

   Another possible use is detecting the so-called "stealth scanners". How a
stealth scanner works is it sends a SYN packet (which is what clog logs) and
if something is listening on that port, the server sends a SYN/ACK packet.
If nothing is listening on the port, the server sends a RST/ACK packet.
In the normal course of connection opening, after you get the SYN/ACK
packet, you would return a ACK packet, thus completing the 3 way handshake;
stealth scanners dont do this, they only do 2/3 steps, once they get a
SYN/ACK or a RST/ACK, they know if something is listening on the port or
not.

   Finally, there is the 'FTP Bounce' attack described by hobbit@avian.org
in his whitepaper on the subject. I have included his whitepaper as
ftp-bounce.txt in this distribution, I suggest you read it - it is most
interesting, and raised some interesting points.

   Installing clog on most platforms is pretty simple, assuming you have the
libpcap library previously installed. The simple makefile should handle most
cases effortlessly. If you are installing on a Solaris box, use make
solaris. If you are installing on a Linux system, use make linux. Anywhere
else, make by itself should work (using the generic rule). No matter what
platform you use, you *NEED* a ANSI compiler, this will not compile under
K&R style compilers. I suggest the GNU CC compiler, since it is readily
available, and really works nicely (well, I use linux - not like I have much
of a choice in the matter :-) ).

   If you do not have libpcap yet, get it. The general release can be found
at ftp://ee.lbl.gov/libpcap.tar.Z. If you have Linux, however, the general
release will not compile. For Linux, there are patched libpcap's in some of
the TCPDUMP source distributions (tcpdump 3.0 and above), just retrieve one
of these. I have not found a 1.3.* patched version of libpcap though, 1.3.x
seems to break the patched libpcap I do have, so if you run a development
kernel, you are out of luck for the time being.

Brian Mitchell	<brian@saturn.net>
http://www.saturn.net/~brian


