Connection Logger

There are 5 fields, each of which is seperated by the '|' character.

• This first field is the date the connection arrived.
• The second field is either the source ip address or the hostname that originated the connection (depending on if you used the -r argument or not).
• The third field is the source port.
• The fourth field is either the destination ip address or the destination hostname (again, depending on if you used -r or not).
• The final field is the destination port number.

You can easily specify alternate filters, so this program could be easily used to detect any sort of connection from 'unusual' hostnames. The filtering syntax is exactly the same as that in the tcpdump package - if you know how to do filters with tcpdump, you know how to do filters with clog!

Another possible use is detecting the so-called "stealth scanners". How a stealth scanner works is it sends a SYN packet (which is what clog logs) and if something is listening on that port, the server sends a SYN/ACK packet. If nothing is listening on the port, the server sends a RST/ACK packet. In the normal course of connection opening, after you get the SYN/ACK packet, you would return a ACK packet, thus completing the 3 way handshake; stealth scanners dont do this, they only do 2/3 steps, once they get a SYN/ACK or a RST/ACK, they know if something is listening on the port or not.

Finally, there is the 'FTP Bounce' attack described by hobbit@avian.org in his whitepaper on the subject. I have included his whitepaper as ftp-bounce.txt in this distribution, I suggest you read it - it is most interesting, and raised some interesting points.