[fw-wiz] Re: IPTables logging target: show pid/program name?

From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/15/03

Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel"

Previous message: William Stearns: "Re: [fw-wiz] IPTables logging target: show pid/program name?"
In reply to: William Stearns: "Re: [fw-wiz] IPTables logging target: show pid/program name?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "William Stearns" <wstearns@pobox.com>
Date: Sat, 15 Nov 2003 15:41:03 -0500 (EST)

William Stearns said:
> The "owner" match module could be used to check what
> application/uid created the packet. This can only be used in the OUTPUT
and POSTROUTING chains, but that's perfect for what you need.

Looks like exactly what I need.

I'm sure someone might need to see a previously-unknown application. I
block outbound as well as inbound on my servers and I would like to know
if I have a trojan... without knowing the name, the above wouldn't give me
more information, other than alerting me to be suspicious.

But that's just icing on the cake; the above rules will be very helpful.
Thank you very much!!

/dev/idal

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: TSimons_at_Delphi-Tech.com: "RE: [fw-wiz] Symantec firewall/vpn & Nortel Contivity 2700 branch office tunnel"

Previous message: William Stearns: "Re: [fw-wiz] IPTables logging target: show pid/program name?"
In reply to: William Stearns: "Re: [fw-wiz] IPTables logging target: show pid/program name?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]