ippl-1.4.14/0040755000175100017510000000000007355370025011072 5ustar ebusersippl-1.4.14/BUGS0100644000175100017510000000105007100127014011530 0ustar ebusers IP Protocols Logger Know bugs: The logclosing option should log connections terminated by the remote end. Unfortunately, it does not seem possible to detect that by only looking at TCP packets. The program must be aware of the state on the connection. Either ippl should record this information, or it should query the kernel about it. For right now, it does not do any of those two things which means that conections closed by your local host are sometimes logged. -- Hugo & Etienne 05/09/99 ippl-1.4.14/CREDITS0100644000175100017510000000300507176554733012120 0ustar ebusersI would like to thank the following people for their help: Per/dw for his last message patch. Frank Pavageau for his help with signal handlers. Charles R. Anderson for his patch to filter on source port. Gaël Roualland for his patch for ident.c and date format bug (Debian bug #35365). Daniel Adolfsson and Sandu Mihai for their help in the libc5 porting. Curtis Ireland for the RPM packages he builds and put on his FTP site. Robert Cheramy for his patches, comments and intensive testings. Steffen Ullrich for his patch to stop name resolving and to add a switch to have a long format for logging source and destination IP addresses and ports. Michel Kaempf tests with courage all the released versions. Jean-Philippe Grimaldi for having read all the code and having sent us comments (and a small patch). Etienne Bernard for his help. He is now helping me to develop IPpl. Thanks to him, IPpl has a nice configuration parser. Arkadiusz Mi¶kiewicz for his comments and the patches that he sent to me. Topi Miettinen for his change GID patch. Charles C.Fu for his x.x.x.x/n parsing patch. Matt Zimmerman for a tiny typo fix (fixes Debian bug #72323) -- Hugo & Etienne 28-Oct-2000 ippl-1.4.14/HISTORY0100644000175100017510000003677607355370012012172 0ustar ebusersversion 1.4.14 - 29-Sep-2001 - Etienne Bernard ---------------------------------------------- "ignore all" and "log all" options are now available. Simplified the memory handling at certain places so that the memory leak detection should be simplified but did not manage to find the memory leak described in debian bug report #111190. Anyway, I found a minor memory leak in the filter reloading (this should only occur if you specify a rule with a TO | without a FROM | rule). version 1.4.13 - 14-Apr-2001 - Etienne Bernard ---------------------------------------------- Fixed the parsing of hostnames containing a "-". version 1.4.12 - 05-Nov-2000 - Etienne Bernard ---------------------------------------------- Forgot to bump up version number. Changed to manual page to tell that the default behaviour is changed to not resolve. version 1.4.11 - 28-Oct-2000 - Etienne Bernard ---------------------------------------------- Parsing of port ranges (port--port) was broken (see Debian bug #69160). Applied patch from Matt Zimmerman (see Debian bug #72323) Tell the resolver to use UDP instead of TCP. Should fix Debian bug #75305. Set default to *NO RESOLVE* (as suggested in Debian bug #50359). Some exit conditions (in icmp.c, tcp.c and udp.c) now log a message before stopping ippl. Should ease bug detection. version 1.4.10 - 21-Apr-2000 - Hugo Haas ---------------------------------------- Parsing of x.x.x.x/n was broken. Applied patch by Charles C.Fu . version 1.4.9 - 11-Feb-2000 - Hugo Haas --------------------------------------- ippl would change UID, but not GID. See Debian bug #55864. Patch by Topi Miettinen . version 1.4.8 - 11/10/99 - Hugo Haas ------------------------------------ go_background() now uses daemon(). Cleaned up code. Stopped complaining about packets with options in the IP header. Those options are legitimate (source routing). I had kept that from iplogger's behavior. Fixed a typo in ippl.conf man page. version 1.4.7 - 5/9/99 - Hugo Haas ---------------------------------- Updated documentation. version 1.4.pre7 - 29/8/99 - Hugo Haas -------------------------------------- Updated ippl.conf.man to specify a new format for the netmasks. Now support syslogd-like 'last message repeated x time(s)' thanks to Per/dw . version 1.4.6 - 16/6/99 - Hugo Haas ----------------------------------- Fixes a parsing problem for "port pop-3" (patch by Etienne). Fixes a couple of problems in the Makefile system. More fixes to come. version 1.4.5 - 16/4/99 - Etienne Bernard ----------------------------------------- Fixes another problem with ident resolution. version 1.4.4 - 12/4/99 - Hugo Haas ----------------------------------- Applied patch from Etienne solving a problem related to the parsing of port ranges. version 1.4.3 - 09/04/99 - Etienne Bernard ------------------------------------------ Implemented a better solution for the problem described below, thanks to Frank Pavageau . Maybe I should buy "Advanced Programming in the Unix Environment" by Richard R. Stevens :-) (donations are also accepted, of course :-) version 1.4.2 - 07/04/99 - Etienne Bernard ------------------------------------------ Fixed a bug related to the ident function. I am not satisfied by the solution that I used, and I will change it as soon as I get rid of a problem related to signals and multithreading. version 1.4.1 - 05/04/99 - Etienne Bernard ------------------------------------------ Integrated patch for filtering on source port from Charles R. Anderson (). Corrected debian bug #35365 (see http://www.debian.org/Bugs/db/35/35365.html), thanks to Gaël Roualland . Fixed a bug which caused ippl to take 100 % CPU on ident requests sometimes. version 1.4.0 - 26/3/99 - Hugo Haas ----------------------------------- ippl.y: now run works fine if it called more than once. udp.c: changed the message displayed to "port x UDP datagram from x"; fixes the problem "UDP datagram port port x" since service_lookup() returns "port x" if x is an unknown port. ident.c: closed the socket after lookup. version 1.3.9 - 17/3/99 - Hugo Haas ----------------------------------- Changed ippl.y: now handle errors in the Line section, not in the Rule one. Added code to debug parsing mechanism (--enable-parsing-debug). Removed test against ALL_PROTO in do_log() since it is not supported anymore. version 1.3.8 - 16/3/99 - Hugo Haas ----------------------------------- Corrected a typo in configuration.c. Removed reference to the all keyword for a rule in the man page. Added filter debugging code. version 1.3.7 - 15/3/99 - Hugo Haas ----------------------------------- Added the possibility to change the user running the logging threads. The default user can be modify using the --with-user=USER option of configure. At run time, it is specified with the "runas" keyword. configuration.c: reset all the variables to their default values when reading configuration. Defined set_default_values(). main.c: do not stop anymore when the account used is not found or when there is nothing to log. Instead, display a warning and do nothing. version 1.3.6 - 14/3/99 - Hugo Haas ----------------------------------- Modified configure.in. Modified INSTALL. version 1.3.5 - 13/3/99 - Hugo Haas & Etienne Bernard ----------------------------------------------------- ippl.l, ippl.y, filter.h & tcp.c: added logclosing/nologclosing rule in order to log TCP connection closings. Added configuration capabilities. version 1.3.4 - 12/3/99 - Hugo Haas & Etienne Bernard ----------------------------------------------------- netutils.c: changed get_details() so that it does not display the port numbers only if source and destination ports are equal to 0. configuration.c: reset the line count before parsing the configuration file. ippl.l & ippl.y: fixed a stupid error that caused ident mechanism activation when an invalid rule was entered. The error is now properly reported. main.c: cosmetic changes version 1.3.3 - 9/3/99 - Hugo Haas ---------------------------------- main.c, filter.c, filter.h: added a destroy_filter() function which purges the existing filter. It now does it correctly (bugs = bugs - 1). ippl.y: enabled DNS resolution by default. Modified information files. version 1.3.2 - 07/3/99 - Etienne Bernard ----------------------------------------- Cleaned up the code a bit Merged libc5 patch from Hugo. version 1.3.1 - 07/3/99 - Etienne Bernard ----------------------------------------- Modified lots of things: - name resolution can be done protocol by protocol and rule by rule - added "short" logging format - the logging format can be configured protocol by protocol and rule by rule - the ident resolution can be configured rule by rule PLEASE NOTE THAT THE FORMAT OF THE CONFIGURATION FILE HAS CHANGED, AND THAT YOU WILL PROBABLY HAVE TO REWRITE AND/OR UPDATE YOURS. version 1.3 - 06/3/99 - Etienne Bernard --------------------------------------- Added ident mechanism to log remote username. Added interface for passing information from the filter structure to the logging function. version 1.2.4 - 6/3/99 - Hugo Haas ---------------------------------- Modified filter.c, netutils.c: a rule containing a wildcard will no longer make ippl crash if the noresolve option is used. Man page updated. version 1.2.3 - 6/3/99 - Hugo Haas ---------------------------------- Included a patch from Etienne fixing some problems in the configuration parsing. version 1.2.2 - 4/3/99 - Hugo Haas ---------------------------------- Removed a stupid line in main.c displaying "test" in the logs... version 1.2.1 - 3/3/99 - Hugo Haas ---------------------------------- Corrected a bug in main.c: all the file descriptors were closed in go_background() including those for the log files. Moreover, the connection to syslog was not open systematically. version 1.2 - 27/2/99 - Hugo Haas --------------------------------- Corrected a bug in the configuration parsing: "run all" was not logging anything. The --no-resolve and --long options do not exist anymore. They have been replaced by new rules in the configuration file. Now, the detailed output can be set on a per-protocol basis. Modified the README file, the CREDITS file and the man pages. Removed potential problems ((v)sprintf -> (v)snprintf). Code clean-up. Added generic interface for logging. Now it is possible to log in a file (on a per-protocol basis). Use the SIGHUP signal to reopen the log files. version 1.1 - 20/2/99 - Etienne Bernard --------------------------------------- Corrected a bug which caused compilation to stop with egcc. Changed lots of code in order to enable the reloading of the configuration when the ippl process gets a SIGHUP. Warning, this code is experimental, and I'm not sure of the order I have to take the mutexes. But it works all right for me. Perhaps we should stress test this one. I added support for multiple interfaces. The magic keyword is "TO". See the man page for ippl.conf(5) for further details. Since I do have only one ethernet card, I only tested this new code with IP Aliasing and the loopback interface. I included the patch from Steffen Ullrich which added a switch to disable name resolving and another one to activate detail logging of source and destination IP addresses and ports. Hugo (21/2/99): Modified reload_configuration() so that it now acquires the mutexes in a correct order. I changed ICMP_PROTO, TCP_PROTO and UDP_PROTO by IPPROTO_ICMP, IPPROTO_TCP and IPPROTO_UDP as suggested Robert Cheramy . I also included a patch from him logging when ippl starts and stops. version 1.0 - 14/2/99 - Hugo Haas --------------------------------- As it seems that no bug has been found in version 0.13, I cleaned up the code a little bit and I am going to release version 1.0, a.k.a. a stable version. I did not clean up the ident and log-in-file parts because I am planning to rewrite them so that may be useful later. version 0.13 - 8/2/99 - Hugo Haas --------------------------------- Corrected the PID file mechanism (actually, it was working, but badly). I used Martin Schulze's pidfile routines used in sysklogd: they are very clean so I did not see any good reason to rewrite them! Second try: Changed main.c so that when a thread is run, all the signals are ignored, i.e. the main thread will handle all the signals. Now ippl does not segfaulte on exit anymore. :-) version 0.12 - 7/2/99 - Hugo Haas --------------------------------- There was still a bug in the configuration parsing: when a name resolution could not be performed, an incomplete filter entry was used, and it was screwing up everything. This has been fixed by adding a hostname field holding the hostname. Why? Well, until now, DNS results never expired, and this was annoying. Now, the cache is periodically emptied (see expire option in the config) and the configuration is reprocessed (which means that DNS queries are done) at the same time. Well, I also added a PID file which fixes the problem of the start-stop-daemon script on Debian systems. This is a big patch, I hope everything's fine (especially the part where I had to remember from the single writer - multiple reader scheme). I would tend to say that version 0.12 is a pre1.0 version. We will fix bugs, and add no more features. Configuration will be re-read in version 1.0+ (perhaps 1.1, or 2.0, depending on what we need to add). And now... beta-testing time! (as soon as Etienne has reread my code) version 0.11 - 5/2/99 - Hugo Haas --------------------------------- Etienne changed the parsing mechanism so that... it now works. :-) Now, hostnames are resolved when the configuration is read. It speeds up the filtering. version 0.10 - 3/2/99 - Hugo Haas --------------------------------- . Corrected a bug in the filtering system. . Removed code used to log in a file (#if 0 / #endif). . Wrote a man page for ippl.conf. . Corrected a bug in the parsing mechanism. Changed the syntax for ranges. Well, it makes a lot of things for tonight! version 0.9 - 2/2/99 - Hugo Haas -------------------------------- Version 0.8 had a problem: when UDP is logged, a lot of DNS queries are done. This was an issue because it could be a DoS of the DNS server. Etienne had an excellent idea: cache the DNS queries. I took my Advanced Algorithms book and coded my first hashtable. :-) Well, I hope I did it the right way, but the results are impressive: 9 requests out of 10 seem to be in the cache (unless I screwed up with my code gathering statistics). So it is a huge improvement. Etienne has improved the configuration parsing: ports can now be specified by their names, and error messages are more explicit. If you would like them to be more explicit, send us the URL of a good documentation about bison. Well, time to build the package. version 0.8 - 30/1/99 - Hugo Haas --------------------------------- I did not officially release version 0.7 because we wanted it to be tested. It seems that it works fine, so this time I think we will release this version. New in this version: . The arguments are parsed with getopt. Etienne changed that. I must confess that I did not know this command. . I wrote a module logging UDP packets. It was actually quite quick to do that. ippl is modular and it makes enhancements easy to implement. . Ok, I did not know that fnmatch had a case-insensitiveness option either. :-) The code has not been cleaned up yet, and the code about logging into a file is still there (and unused)... version 0.7 - 24/1/99 - Hugo Haas --------------------------------- Well, I guess that I am going to do my first public release. New in this version: . A new thread is not run to log each incoming packet. Why? If a lot of packets are received by a host and if the name resolution cannot be done quick enough, ippl rapidly takes all the resources of the host. Annoying... Well, unitl I find a solution, there will be one thread for each protocol logged and that's it! It means that under heavy network load, some packets may not be logged. I do not think this is a major problem. . A man page has been written. . I have removed all the RCS garbage in the code. . There is now a package for Debian. . Currently, users cannot log into a file. The code is here but no option enables to use it. Why (again)? I am not happy with the way it is done. Moreover, I believe that it would better to log everything via the syslog. I guess that in the next version, I will remove this part of the code and give rules to add in the syslog.conf file if people want to use a special file. version 0.6 - 13/12/98 - Hugo Haas ---------------------------------- All the changes were made by Etienne Bernard. The parser now uses Lex/Yacc. IPpl now runs as 'nobody'. This breaks the logging mechanism into a file. I will implement a fix soon. Added a BUGS file. version 0.5 - 1/12/98 - Hugo Haas --------------------------------- Now supports ICMP type/code (thanks to Arkadiusz Mi¶kiewicz). Added a few commands for the preprocessor. Added a CREDITS file. version 0.4 - 29/11/98 - Hugo Haas ---------------------------------- Removed ident mechanism (I do not think it works... I will change that later). New configuration: hopefully, it won't change. Seems to work! Added a TODO file. version 0.3 - 27/10/98 - Hugo Haas ---------------------------------- Added ident queries. IPpl has now all the features that iplogger 1.1 has. version 0.2 - 25/10/98 - Hugo Haas ---------------------------------- Configurable specifying host addresses. version 0.1 - 25/10/98 - Hugo Haas ---------------------------------- IPpl does offers more or less the same features as iplogger 1.1, except that it does not support the ident lookup. ippl-1.4.14/INSTALL0100644000175100017510000000141207100127015012101 0ustar ebusersThis software has been designed to work on Debian GNU/Linux systems. It should hopefully work with every Linux system. It is planned (see the TODO file) to make it work for other Unix systems. If you want to adapt it for another operating system, please tell us (ippl@via.ecp.fr). Requirements ------------ * libc version 5 or later * pthread library version 0.7 or later * yacc or equivalent (bison is used for development) * lex or equivalent (lex is used for development) Installation ------------ Installing the program is done with a standard: ./configure (see ./configure --help for options) make make install Here are the options used to build the Debian package for example: ./configure --prefix=/usr --sysconfdir=/etc -- Hugo 13/3/99 ippl-1.4.14/LICENSE0100644000175100017510000004312707100127015012066 0ustar ebusers GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) 19yy This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. ippl-1.4.14/Makefile.common.in0100644000175100017510000000064207100127015014410 0ustar ebusers# # Common definitions for all the Makefile's # # Version VERSION=@VERSION@ # Directories srcdir=@srcdir@ prefix=@prefix@ exec_prefix=@exec_prefix@ SBINDIR=$(ROOT)@sbindir@ MANDIR=$(ROOT)@mandir@ ETCDIR=$(ROOT)@sysconfdir@ VARRUN=$(ROOT)/var/run # Default user running logging threads DEFAULT_USER=@DEFAULT_USER@ # Configuration file CONFIGURATION_FILE=$(ETCDIR)/ippl.conf # PID file PID_FILE=$(VARRUN)/ippl.pid ippl-1.4.14/Makefile.in0100644000175100017510000000223407100127015013120 0ustar ebusers# # Makefile for IP protocol logger # include ./Makefile.common # Commands INSTALL=@INSTALL@ RM=rm -f all: binary docs binary: Makefile Source/Makefile @cd Source && make && cd .. docs: @cd Docs && make && cd .. install: all $(INSTALL) -d -m 755 $(SBINDIR) $(INSTALL) -s -m 755 Source/ippl $(SBINDIR)/ippl $(INSTALL) -d -m 755 $(ETCDIR) [ -f $(CONFIGURATION_FILE) ] || \ $(INSTALL) -m 644 ippl.conf $(CONFIGURATION_FILE) $(INSTALL) -d -m 755 $(MANDIR) $(INSTALL) -d -m 755 $(MANDIR)/man5 $(INSTALL) -d -m 755 $(MANDIR)/man8 $(INSTALL) -m 644 Docs/ippl.8 $(MANDIR)/man8/ippl.8 $(INSTALL) -m 644 Docs/ippl.conf.5 $(MANDIR)/man5/ippl.conf.5 clean: @cd Source && make clean && cd .. && cd Docs && make clean && cd .. distclean: clean $(RM) *~ Makefile.common Makefile Source/Makefile Docs/Makefile build-stamp install-stamp mrproper: distclean $(RM) config.log config.cache config.status && autoconf configdump: @echo "Configuration:" && \ echo " ippl in ${SBINDIR}" && \ echo " man pages in ${MANDIR}" && \ echo " configuration file in ${ETCDIR}" && \ echo " pid file in ${VARRUN}" && \ echo " using ${DEFAULT_USER} account to run threads" ippl-1.4.14/README0100644000175100017510000000200007201355142011730 0ustar ebusersIP Protocols Logger | by Hugo Haas & Etienne Bernard | -------------------------------- This programs logs IP packets sent to a system. Please read the INSTALL file. See http://pltplp.net/ippl/ for details. Debian packages can be found on my web site: http://pltplp.net/ippl/archives/debs/ or on ftp.debian.org: ftp://ftp.debian.org/pub/debian/dists/unstable/binary-(something)/net RedHat packages can be found on: ftp://ftp.vsynth.carleton.ca/pub/ippl/ Note that I do not build the RPM packages. Please write to Curtis Ireland if you have any questions about them. If you find a bug, please report it to ippl@via.ecp.fr. You can join the ippl development list by sending a mail to listar@via.ecp.fr with "subscribe ippl" in the body. A mailing list called ippl-announce has also been setup. We will post there important news about the project. To subscribe, send a mail to listar@via.ecp.fr with "subscribe ippl-announce" in the body. Enjoy, Hugo ippl-1.4.14/TODO0100644000175100017510000000076007176555042011567 0ustar ebusers* Fix the logclosing bug. * Fix the resolve bug (Debian bug #50359) due to resolver delay. Basicaly, log the time we received the packet, and not the time we wrote the line into the log file / syslog. * Make ICMP logging more verbose. * Allow to use different syslog levels. * Detect attacks. * Detect traceroute queries. * Detect nmap null scans. * Log outgoing packets. * Write support for ICMPv6. * Rewrite the program using libpcap. This has been started (see version 1.99.x). ippl-1.4.14/VERSION0100644000175100017510000000000707355370025012134 0ustar ebusers1.4.14 ippl-1.4.14/configure.in0100644000175100017510000000554407100127015013373 0ustar ebusersdnl autoconf for ippl. Copyright (C) 1999 Hugo Haas dnl Initialisation AC_INIT(Makefile.in) dnl Version VERSION=`cat $srcdir/VERSION` AC_SUBST(VERSION) echo "Configuring ippl $VERSION..." echo dnl Check compilers AC_PROG_CC AC_PROG_LEX AC_PROG_YACC AC_PROG_INSTALL dnl Specifying the user used to run threads DEFAULT_USER="nobody" AC_ARG_WITH(user, [ --with-user=USER Specify which user will run the threads by default (default: nobody)], [ if test $withval != "yes" -a $withval != "no"; then DEFAULT_USER=$withval fi ]) dnl Options AC_ARG_ENABLE(multithread, [ --enable-multithread Run a thread for each new packet logged], [ if test $enableval = "yes"; then MULTITHREAD=" -D_MULTITHREAD_" fi AC_SUBST(MULTITHREAD) ]) AC_ARG_ENABLE(cache-debug, [ --enable-cache-debug Display DNS cache statistics], [ if test $enableval = "yes"; then CACHE_DEBUG=" -DCACHE_DEBUG" fi AC_SUBST(CACHE_DEBUG) ]) AC_ARG_ENABLE(filter-debug, [ --enable-filter-debug Display filtering process], [ if test $enableval = "yes"; then FILTER_DEBUG=" -DFILTER_DEBUG" fi AC_SUBST(FILTER_DEBUG) ]) AC_ARG_ENABLE(parsing-debug, [ --enable-parsing-debug Shows configuration parsing process], [ if test $enableval = "yes"; then PARSING_DEBUG=" -DPARSING_DEBUG" YACC_DEBUG_OPTIONS=" -dtv" fi AC_SUBST(PARSING_DEBUG) AC_SUBST(YACC_DEBUG_OPTIONS) ]) AC_ARG_ENABLE(all-warnings, [ --enable-all-warnings Run the compiler in pedantic mode], [ if test $enableval = "yes"; then PEDANTIC=" -pedantic" fi AC_SUBST(PEDANTIC) ]) AC_ARG_WITH(dmalloc, [ --with-dmalloc Link the program with the dmalloc library], [ if test $withval = "yes"; then AC_CHECK_LIB(dmalloc, main, DMALLOC=" -ldmalloc") fi AC_SUBST(DMALLOC) ]) fail_pthread() { echo "Please update your pthread library:" echo " http://pauillac.inria.fr/~xleroy/linuxthreads/" exit } dnl Check for functions AC_CHECK_LIB(pthread, pthread_attr_init,, fail_pthread) AC_CHECK_LIB(pthread, pthread_attr_setdetachstate,, fail_pthread) AC_CHECK_LIB(pthread, pthread_attr_destroy,, fail_pthread) AC_CHECK_LIB(pthread, pthread_create,, fail_pthread) AC_CHECK_LIB(pthread, pthread_setcancelstate,, fail_pthread) AC_CHECK_LIB(pthread, pthread_attr_setdetachstate,, fail_pthread) AC_CHECK_LIB(pthread, pthread_cancel,, fail_pthread) AC_CHECK_LIB(pthread, pthread_mutex_lock,, fail_pthread) AC_CHECK_LIB(pthread, pthread_mutex_unlock,, fail_pthread) # If $sysconfdir == /usr/etc, change it to /etc if [[ $prefix = '/usr' -a $sysconfdir = '${prefix}/etc' ]]; then echo sysconfig is set to /usr/etc. Changing it to /etc. sysconfdir='/etc' fi dnl Default user AC_SUBST(DEFAULT_USER) echo "Using $DEFAULT_USER as the default user to run threads." AC_OUTPUT(Makefile Makefile.common Source/Makefile Docs/Makefile) echo make configdump echo echo Now you can type \`\` make \'\'. Good luck! ippl-1.4.14/install-sh0100755000175100017510000001157707100127015013071 0ustar ebusers#! /bin/sh # # install - install a program, script, or datafile # This comes from X11R5. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. # # Note: I have copied this file from the Mutt tar ball. The copyright notice # is not very clear but I haven't changed it at all. # Contact Hugo Haas if there are any problems. # -- Hugo Sep 5, 1999 # # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit="${DOITPROG-}" # put in absolute paths if you don't have them in your path; or use env. vars. mvprog="${MVPROG-mv}" cpprog="${CPPROG-cp}" chmodprog="${CHMODPROG-chmod}" chownprog="${CHOWNPROG-chown}" chgrpprog="${CHGRPPROG-chgrp}" stripprog="${STRIPPROG-strip}" rmprog="${RMPROG-rm}" mkdirprog="${MKDIRPROG-mkdir}" tranformbasename="" transform_arg="" instcmd="$mvprog" chmodcmd="$chmodprog 0755" chowncmd="" chgrpcmd="" stripcmd="" rmcmd="$rmprog -f" mvcmd="$mvprog" src="" dst="" dir_arg="" while [ x"$1" != x ]; do case $1 in -c) instcmd="$cpprog" shift continue;; -d) dir_arg=true shift continue;; -m) chmodcmd="$chmodprog $2" shift shift continue;; -o) chowncmd="$chownprog $2" shift shift continue;; -g) chgrpcmd="$chgrpprog $2" shift shift continue;; -s) stripcmd="$stripprog" shift continue;; -t=*) transformarg=`echo $1 | sed 's/-t=//'` shift continue;; -b=*) transformbasename=`echo $1 | sed 's/-b=//'` shift continue;; *) if [ x"$src" = x ] then src=$1 else # this colon is to work around a 386BSD /bin/sh bug : dst=$1 fi shift continue;; esac done if [ x"$src" = x ] then echo "install: no input file specified" exit 1 else true fi if [ x"$dir_arg" != x ]; then dst=$src src="" if [ -d $dst ]; then instcmd=: else instcmd=mkdir fi else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] then true else echo "install: $src does not exist" exit 1 fi if [ x"$dst" = x ] then echo "install: no destination specified" exit 1 else true fi # If destination is a directory, append the input filename; if your system # does not like double slashes in filenames, you may need to add some logic if [ -d $dst ] then dst="$dst"/`basename $src` else true fi fi ## this sed command emulates the dirname command dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` # Make sure that the destination directory exists. # this part is taken from Noah Friedman's mkinstalldirs script # Skip lots of stat calls in the usual case. if [ ! -d "$dstdir" ]; then defaultIFS=' ' IFS="${IFS-${defaultIFS}}" oIFS="${IFS}" # Some sh's can't handle IFS=/ for some reason. IFS='%' set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` IFS="${oIFS}" pathcomp='' while [ $# -ne 0 ] ; do pathcomp="${pathcomp}${1}" shift if [ ! -d "${pathcomp}" ] ; then $mkdirprog "${pathcomp}" else true fi pathcomp="${pathcomp}/" done fi if [ x"$dir_arg" != x ] then $doit $instcmd $dst && if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi else # If we're going to rename the final executable, determine the name now. if [ x"$transformarg" = x ] then dstfile=`basename $dst` else dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename if [ x"$dstfile" = x ] then dstfile=`basename $dst` else true fi # Make a temp file name in the proper directory. dsttmp=$dstdir/#inst.$$# # Move or copy the file name to the temp name $doit $instcmd $src $dsttmp && trap "rm -f ${dsttmp}" 0 && # and set any options; do chmod last to preserve setuid bits # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $instcmd $src $dsttmp" command. if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && $doit $mvcmd $dsttmp $dstdir/$dstfile fi && exit 0 ippl-1.4.14/ippl.conf0100644000175100017510000000311307355345507012707 0ustar ebusers# IP protocols logger - Configuration file # See ippl.conf(5) # User used # --------- # Specify the user (declared in /etc/passwd) used to run the # logging threads. #runas nobody # Resolve hostnames? # ------------------ # Uncomment the line below to disable DNS lookups #noresolve all # Use ident? # ---------- # Uncomment the line below to enable IDENT lookups #ident # Log end of TCP connections ? # ---------------------------- # Uncomment the line below to enable logging of closing TCP connections # See the BUGS file. #logclosing # Expiration of DNS data # ---------------------- #expire 3600 # Log in a file # ------------- # Uncomment this line if you want to log messages into a /var/log/ippl.log # See ippl.conf(5) for the syntax. #log-in all /var/log/ippl/all.log #log-in udp /var/log/ippl/udp.log # Protocols logged # ---------------- run icmp tcp # Uncomment the line below to log UDP traffic. # See ippl.conf(5) for recommandations. #run udp # Logging format # ---------------- # If you want to see the destination address, the ports, etc # Or if you want to log the minimal information. # See ippl.conf(5) for details. #logformat detailed all # Filtering of packets logged # --------------------------- # Do not log answers to echo requests ignore icmp type echo_reply # Log telnet connections using ident and name resolution log options ident,resolve tcp port telnet # Do not log UDP from localhost #ignore udp from localhost # Do not log DNS queries #ignore udp port domain #ignore udp srcport domain # End of configuration # Copyright (C) 1998-1999 Hugo Haas - Etienne Bernard ippl-1.4.14/Docs/0040755000175100017510000000000007355364343011770 5ustar ebusersippl-1.4.14/Docs/Makefile.in0100644000175100017510000000111507100127015014005 0ustar ebusers# Makefile for ippl documentation # # Copyright (C) 1999 Hugo Haas RM=rm -f include ../Makefile.common SED=sed SED_SCRIPT=-e "s%__CONFIGURATION_FILE%$(CONFIGURATION_FILE)%g" \ -e "s%__PID_FILE%$(PID_FILE)%g" \ -e "s%__DEFAULT_USER%$(DEFAULT_USER)%g" all: man man: ippl.8 ippl.conf.5 ippl.8: ippl.man Makefile ../Makefile.common @echo "Generating ippl.8" && $(SED) $(SED_SCRIPT) ippl.man > ippl.8 ippl.conf.5: ippl.conf.man Makefile ../Makefile.common @echo "Generating ippl.conf.5" && $(SED) $(SED_SCRIPT) ippl.conf.man > ippl.conf.5 clean: ${RM} ippl.8 ippl.conf.5 ippl-1.4.14/Docs/ippl.conf.man0100644000175100017510000002013607201354503014337 0ustar ebusers.\" -*-nroff-*- .\" .\" Copyright (C) 1998-2000 Hugo Haas .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by .\" the Free Software Foundation; either version 2 of the License, or .\" (at your option) any later version. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with this program; if not, write to the Free Software .\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. .\" .TH IPPL.CONF 5 "Last change: 11 February 2000" .SH NAME ippl.conf \- IP Protocols Logger configuration file .SH DESCRIPTION The .I ippl.conf file is the only configuration file for the .BR ippl logger. It defines what protocols to log, and the kind of packets to log. A hash mark (``#'') indicates that the end of the line is a comment and it will therefore not be read. .SH USER RUNNING THREADS .BR ippl does not run (unless specified) the protocol logging threads as root for security reasons. You can specify which user should be use with the .I runas keyword. .B Syntax: runas [user] .PP .I user is a user defined in /etc/passwd. By default, the __DEFAULT_USER user is used. .SH PROTOCOLS Each protocol is run by an different thread. To run a thread, use the: .B Syntax: run [protocol] [protocol] ... .PP .I protocol can be: .I icmp to specify that the thread logging ICMP messages should be run. .PP .I tcp to specify that the thread logging TCP connections should be run. .PP .I udp to specify that the thread logging UDP datagrams should be run. .PP .I all to log all the protocols. .SH ADDRESS RESOLUTION You can enable or disable IP address resolution on a protocol basis. To enable address resolution, use: .B Syntax: resolve [protocol] [protocol] ... .PP .I protocol is the same as in the protocols section. To disable address resolution, use: .B Syntax: noresolve [protocol] [protocol] ... .PP .I protocol is the same as before. .PP By default, IP address resolution is disabled for all the protocols. .SH LOGGING FORMAT .BR ippl can log IP protocols in a more or less detailed format. By default, it only shows the source address and the type or the destination port. A more detailed version can be used. There is also a shortest version. .B Syntax: logformat [format] [protocol] [protocol] ... .PP .I format can be: .I short to use a short format for logging. .PP .I normal to use the normal format. This is the default. .PP .I detailed to log more information. This option displays the source and destination ports and addresses. .PP .I protocol is the same as in the protocols section. .SH IDENT MECHANISM To enable the IDENT remote username resolution, use the .I ident keyword. To disable it, use the .I noident keyword. Note that the information returned is *NOT* reliable in general since it is returned by the remote host. By default, the ident resolution is off. .SH TCP CONNECTION TERMINATION .BR ippl can detect when a TCP connection is closed. To enable this feature, use the .I logclosing keyword. To disable it, use the .I nologclosing keyword. By default, TCP connection terminations are ignored. .SH LOGGING MECHANISM .BR ippl can log messages using syslog (using the LOG_DAEMON facility) or it can write directly into a file. This is specified using .I log\-in keyword. .B Syntax: log-in [protocol] [filename] .PP .I protocol is the same as in the protocols section. .I filename is an absolute path to a file. Note that the file cannot be in the root directory; it has to be in a directory. NOTE: when the logs are rotated, .BR ippl opens new files when it is sent the SIGHUP signal. .SH RULES When a thread is run, it will catch all the packets using the protocol logged. The user may want to ignore certain packets. This is done with Apache-like rules. .PP There are two different types of rules. The first one describes what packets to log, and the second one describes the packets that should be ignored. The syntax of a rule is as follows: .B Syntax: [log|ignore] {option [option],[option],...} [protocol] [description] .I log means that the packets described should be logged and .I ignore is used if the user does not want to log a certain type of packets. .SS Option .PP The .I option keyword will permit to override the default values for this rule only. .I options is also recognized. .PP Valid options are: .PP .I resolve enable IP address resolution. .PP .I noresolve disable IP address resolution. .PP .I ident use ident logging (only for TCP). .PP .I noident disable ident logging (only for TCP). .PP .I logclosing log connection termination (only for TCP). .PP .I nologclosing do not log connection termination (only for TCP). .PP .I short use the short logging format. .PP .I normal use the normal logging format. .PP .I detailed use the detailed logging format. .SS Protocol .PP protocol is one of the supported protocols (see the protocols section), except the .I all keyword, which is not supported. .SS Description .PP .I description holds the type of packet and the hosts to which the rule applies. .PP .I Type of packet: .PP type Specify an ICMP message type. port Specify a destination TCP or UDP port number. port Specify a destination TCP or UDP port name. srcport Specify a source TCP or UDP port number. srcport Specify a source TCP or UDP port name. .PP number is specified like this: n Number n. n-- Every number m >= n. --n Every number m <= n. l--k Every number m, with l <= m <= k. string If a string is specified, it is either the name of a service (see /etc/services) or an ICMP message. Keywords for ICMP messages are: echo_reply 0 dest_unreach 3 src_quench 4 redirect 5 echo_req 8 router_advert 9 router_solicit 10 time_exceeded 11 param_problem 12 ts_req 13 ts_reply 14 info_req 15 info_reply 16 addr_mask_req 17 addr_mask_reply 18 .PP .I Source of the packets: .PP from .PP where host is specifed as follows: x.x.x.x IP address of a host x.x.x.x/x.x.x.x IP address, followed by a network mask to specify a subnet x.x.x.x/n IP address, followed by the number of 1's at the left side of the network mask host.net.domain host name (wildcards accepted) .PP .I Destination of the packets: .PP to .PP where host is specified as follows: x.x.x.x IP address of the local interface host.net.domain host name of the local interface (*no* wildcards accepted) .PP This rule is useful only if you have multiple interfaces connected to your box, or if you use IP aliasing. This can also be useful if you want to log or ignore broadcasts. To do so, just use your broadcast address as destination IP address. .PP Please note that rules using IP addresses are faster to check than rules using host names. .PP If you log UDP, it is *strongly* recommended to ignore the broadcasts! (until we implement an option for that). .SH EXPIRATION OF DNS CACHE The time for which .BR ippl holds cached DNS data without performing any queries can be changed. .B Syntax: expire