The firewall box itself is the smaller one on the left, under the USR Courier 56K V-Everything modem. It's got an Asus P/I-P55TP4N mobo with a Pentium 150 Classic, 96mb RAM, and it's running Red Hat Linux 6.2 - no X - 6 consoles with CLI only.
So now I've added a cool little tool I wrote, ACK_hole01.c (heh.. actually it is for the most part copied from W. Richard Stevens' tcpserv04.c in "UNIX Network Programming" vol.1, second edition, p.128; and from trafficrcv.c, from http://www.psc.edu/~web100/pathprobe/ ).
ACK_hole is essentially a network data sink: it sits on a specific TCP port (or several of them: I'm running it on six..) and accepts connections from foreign hosts just like it was a server of some sort.
Only trick is, it's not a server at all: it accepts any/all packets sent to whatever port it's sitting on, and drops them on the floor like they never existed.
So what's the point?
The point is that all the while ACK_hole is accepting packets and dropping them, snort 1.8.7 is merrily logging everything, because I've also opened my firewall on the specific ports ACK_hole is listening to.
So now, despite the fact I'm still secure behind my firewall generally, I can see in detail exploit attempts to specific ports that were previously repelled at the first SYN packet.
Note that this will not compile as-is: you need to download the supporting files for the
#include's and their dependancies that are a part of UNIX Network Programming's source code, from here: http://www.kohala.com/start/unpv12e/unpv12e.tar.gz )
Email me if you want more info; I also have a tarball of the source and supporting files necessary to ACK_hole, itself.mailto: firstname.lastname@example.org
The most recent logs are kinda towards the top..
An index into specific probes by proto/port/service:
Intriguing search strings from my server logs:April 2002
An index into specific probes by interesting characteristics:
Goto the computer systems of FinchHaven