Some IP's aren't reported in the 'Addresses ever connected' list

[pieropingi]

Hi,

I noticed that some addresses in the log aren't reported in the 'Addresses ever connected' list.
That connections are very shorts, they connect and disconnect in a wery short time (less than 1 second).
I traced some of them, 1 from China, another from Czeck Republic, another from Nederlands.

It seems to me that at least one of this connections was organized: the ip connected on port 47495, then tryed all ports from 47652 to 47661, then closed the 47495 connection previously opened. I'm not a geek but it seems to me a scan. Why the submentioned list don't report this ip numbers? It's planned or it's a bug?

It were intresting to record in the 'Addresses ever connected' list, for every ip number:
- the timestamp of the last connection
- the number of tried/succeeded connections
- the connection-level reached (he connected/disconnected only, or uploaded/downloaded, or ...??)
- the uploaded/downloaded data amount
- ...? (other ideas?)

That would be suitable for attacks and intrusion detection purpose.

[Mars]

Use all the needed macro in the event [request] to make all the operations which you wish to carry out.

[pieropingi]

That connections are very fast. He connect and disconnect immediately (I think for testing purposes, but I'm not an expert).
In the log I can't see a request, so I suspect he don't produce a [request] event but, knowing the internal coding of HFS, you can say it better as I can.

In every case, I will try it, even if I have never used the macro feature in HFS, and even if, from my point of view, in an 'Addresses ever connected' list should be recorded every connection attempt. Moreover, it were a good feature for attack detection purpose...

Just for my ill curiousity: where can I find material about tests and weaknesses of HFS? Did someone tried something in that way?

[Mars]

first you can check this line inside the menu

Menu >> Virtual File System >> List protected items only for allowed users

this will hide all protected items

[rejetto]

I noticed that some addresses in the log aren't reported in the 'Addresses ever connected' list.

you are right.
HFS doesn't keep track of refused connections (ban or server overload).
i understand this may not fit everyone's needs, but apparently this is the way it should be:
basic users could be misled by seeing addresses they had banned,
while power users can get the feature they want by installing a script.

It were intresting to record in the 'Addresses ever connected' list, for every ip number:
...
That would be suitable for attacks and intrusion detection purpose.

at the moment the [request] event is fired only after some requests are discarded.
i will add a [pre-filter-request] to access all of them.
anyway, all connections are already accessible via [connected], but at that stage you won't access information about the request itself.

Just for my ill curiousity: where can I find material about tests and weaknesses of HFS? Did someone tried something in that way?

some security teams (like secunia) have investigated on possible vulnerabilities, and some have been found (and quickly fixed).
try googling for: hfs server vulnerabilities