Scott, Rick -
Sunday, June 23, 2002 you wrote:
RSP> Although most of it is very straightforward, there are about a
RSP> dozen bytes in there that seem to never change -- but those could
RSP> easily cause a problem for a program that assumes that they
RSP> should always be the same value.
I see what you mean.
I agree that it would be imprudent to develop a program that
would be widely distributed unless the format was well
understood. It is too easy to block such large numbers of
connections to take much risk.
However, I am interested more in a web utility that I would use in
conjunction with the Log Analyzer and look for dictionary attacks
from ip addresses. So I don't think I need to totally understand
the file structure for my purposes.
I can mol list the acl file's contents now which is useful in
itself since it is hard to remember what I've entered and removed
and why. It would be nice to add a reverse lookup to this too.
RL> RSP> What I've been able to discover is that the static contents
RL> of the file, before any addition of data, seems to be consistent
RL> with the other *.acc files. The data at the end of the file I
RL> would think needs to remain constant probably as an end of file
RL> marker to the calling routine within IMail. The static data at the
RL> beginning of the file is a mystery to me.
I don't understand it either but I am glad to know about the
similarities to other .acc files. I haven't looked at those yet.
I've been able to inspect two files but haven't been able to play with
inserts and deletes yet and then compare again. My initial structure
follows:
bytes 00-0F ( 16): not understood - not enough experience yet to
know what changes and what doesn't
bytes 10-13 ( 4): I think the first byte is the total length of the
array of acl entries and masks where the ip and
mask each count. It confuses me why this would
be the case unless the mask could be handled
differently in certain cases. Or it may be
coincidental.
At byte 14 I believe an array begins:
An array element seems to be the IP address and mask represented
in 8 bytes (xx xx xx xx mm mm mm mm where xx is one of the
quartet of the ip address and mm is the mask quartets).
The first part of the list appears to be the current acl. I
think it may be sorted but haven't verified that nor do I
understand yet when the sort occurs if it does. Probably it
doesn't matter but it might. Sorting is not hard in this case
anyway.
However, there can be at least a 2nd part of the array. This 2nd
part of the array does not always appear. When it does there is
what I believe to be a separator marker in the form: "0 0 0 0 FF
FF FF FF". As nearly as I can tell there is no significance to
the marker other than as a marker. But its existence does
explain why byte 10 might be a length.
The second part of the list is formatted the same as the first.
It may be a list of deleted entries or it may be additions for
"possible hack attempt" events. I think this is possible to
determine with more time.
I suppose it is possible that there may be additional separators
and additional lists although I don't suspect a purpose for
them.
The array ends with another "0 0 0 0 FF FF FF FF" which again I
think is only a marker.
The marker elements are included in the total array length at
byte 10 if that is what it is.
Terry Fritts
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit the Knowledge Base for answers to frequently asked
questions: http://www.ipswitch.com/support/IMail/
