I noticed that some addresses in the log aren't reported in the 'Addresses ever connected' list.
you are right.
HFS doesn't keep track of refused connections (ban or server overload).
i understand this may not fit everyone's needs, but apparently this is the way it should be:
basic users could be misled by seeing addresses they had banned,
while power users can get the feature they want by installing a script.
It were intresting to record in the 'Addresses ever connected' list, for every ip number:
...
That would be suitable for attacks and intrusion detection purpose.
at the moment the [request] event is fired only after some requests are discarded.
i will add a [pre-filter-request] to access all of them.
anyway, all connections are already accessible via [connected], but at that stage you won't access information about the request itself.
Just for my ill curiousity: where can I find material about tests and weaknesses of HFS? Did someone tried something in that way?
some security teams (like secunia) have investigated on possible vulnerabilities, and some have been found (and quickly fixed).
try googling for: hfs server vulnerabilities