Tool to analyze firewall messages
In /var/log/messages I see messages like Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00 TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58 I would like to see some whois data of the source IP in clear text and the destination port in clear text too. (Of course I know that 137 is the netbios-port) Is there an analyzing tool for these messages? Maybe like webalizer? Where can I define the log-file in FW2? I would like to have an own fw-logfile to have a better overview of the other messages Albert
On Sun, 20 Oct 2002, Al Bogner wrote:
In /var/log/messages I see messages like
Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00 TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
I would like to see some whois data of the source IP in clear text and the destination port in clear text too. (Of course I know that 137 is the netbios-port)
Are you interested in these 2 informations only? If so, would it be sufficient to hand over a script doing just that?
Is there an analyzing tool for these messages? Maybe like webalizer?
What exactly do you mean ba "analyzing", statistics? tabular format?
Where can I define the log-file in FW2? I would like to have an own fw-logfile to have a better overview of the other messages
I'm not shure how FW2 handles this, but to write in another log file than /var/log/messages, you need the ulog extension to iptables, available at http://www.iptables.org/ Achim
Achim Hoffmann wrote:
Where can I define the log-file in FW2? I would like to have an own fw-logfile to have a better overview of the other messages
I'm not shure how FW2 handles this, but to write in another log file than /var/log/messages, you need the ulog extension to iptables, available at http://www.iptables.org/
Hi Achim, hi Al, that's not the only option. Another option is to specify some other logging target in the syslog-config for kernel messages. For syslogd you need an entry similar to this in /etc/syslog.conf: kern.info /var/log/kern_info.log This entry tells syslogd to log everything from facility kernel with priority info to /var/log/kern_info.log. iptables come from kernel an have priority info. Hope that helps! Best regards, Ralf
On Sonntag, 20. Oktober 2002 12:07 Achim Hoffmann wrote:
In /var/log/messages I see messages like
Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00 TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
I would like to see some whois data of the source IP in clear text and the destination port in clear text too. (Of course I know that 137 is the netbios-port)
Are you interested in these 2 informations only?
Not only, but in these 2 informations I am interested especially.
If so, would it be sufficient to hand over a script doing just that?
Is there an analyzing tool for these messages? Maybe like webalizer?
What exactly do you mean ba "analyzing", statistics? tabular format?
I thought that there could be a script or whatevver, which analyzes firewall logs from a "general" view. I found out, that a lot of scans to my host come from "developing" countries, especially from South America and Asia. Albert
Am Son, 2002-10-20 um 12.35 schrieb Al Bogner:
I thought that there could be a script or whatevver, which analyzes firewall logs from a "general" view.
You might like to take a look at an intrusion detection ystem like snort. http://www.snort.org/ Snort can be installed straight from the SuSE CD. New rules can be downloaded from the snort server but usually need some editing to function with the snort.conf that is shipped with SuSE. There are several tools for analysing snort logfiles to be found on the snort web server. A sample log entry looks like this: ---8<--- [**] [1:884:6] WEB-CGI formmail access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] 10/19-20:17:45.581832 67.113.247.186:33326 -> xxx.xxx.xxx.xxx:80 TCP TTL:106 TOS:0x0 ID:29404 IpLen:20 DgmLen:693 DF ***AP*** Seq: 0xC6F88849 Ack: 0xEE772CE8 Win: 0xFFFF TcpLen: 20 [Xref => http://www.securityfocus.com/bid/1187] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172] [Xref => http://www.whitehats.com/info/IDS226 ---8<--- Besides that snort can write the logs to a (external) MySQL or PostgeSQL database server. The version that is shipped on the SuSE CD however lacks database support, so you need to recompile it to use that feature. When logging to a MySQL database you can integrate the MySQL/snort thing into bigbrother, a network monitoring tool. http://www.bb4.com/
I found out, that a lot of scans to my host come from "developing" countries, especially from South America and Asia.
Most of what you see in your logs is simply background noise, especially when you have a dynamically assigned IP. Wolfgang
Around a month ago I posted a similar message to this list and got some answers: - Achim Hoffmann sent me a Perl-script for making a readable file out of /var/log/firewall. e.g.: (remove the CRs) Log-entry: Oct 9 00:18:48 minasmorgul kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.142.58.48 DST=217.84.7.89 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=29088 DF PROTO=TCP SPT=57456 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB40000000001030300) Headline plus generated text: Time Rule src-IP :port > dst-IP :port proto ttl id tos prec len -- payload --------+-------------------+----------------------+----------------------+----+---+-----+----+----+-----+---------- 00:18:48 DROP-DEFAULT 80.142.58.48 57456 > 217.84.7.89 4662 TCP 60 29088 0x00 0x00 60 -- WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB4000000000 - I run "psad; The Port Scan Attack Detector" (http://www.cipherdyne.com/psad/): it does some realtime scanning of the syslog-datastream (partly based on snort) through a fifo-file discovering port-scans and than informing via eMail. The eMail includes DNS and WHOIS lookups. e.g.: =-=-=-=-=-=-=-=-=-=-=-=-=-= Oct 20 12:42:50 =-=-=-=-=-=-=-=-=-=-=-=-=-= psad: portscan detected against minasmorgul (xxx.xxx.xxx.xxx). Source: xxx.xxx.xxx.xxx Destination: xxx.xxx.xxx.xxx Newly scanned TCP ports: [25-8080] (since: Oct 20 12:42:49) Newly Blocked TCP packets: [4] (since: Oct 20 12:42:49) TCP flags: [SYN: 4 packets] Nmap: [-sT or -sS] Complete TCP/UDP port range: [25-8080] (since: Oct 20 12:42:49) Total blocked packets: 4 Start time: Oct 20 12:42:49 End time: Oct 20 12:42:49 Danger level: 1 out of 5 DNS info: xxx.xxx.xxx.xxx -> adsl-123.xxxxxx.xxx.xx.net ---- TCP alert signatures found since [Oct 20 12:42:49] "MISC-WinGate-8080-Attempt" dp=8080, flags=SYN. Packets=1 "MISC-WinGate-1080-Attempt" dp=1080, flags=SYN. Packets=1 ---- Whois Information: ---- OrgName: Southwestern Bell Internet Services OrgID: SBIS - I run logcheck.sh from Craig Rowland via cron every 15 minutes which generates reports using something like a good- and bad-word list of unusual events/ entrie in logfiles. You could also have a look at Snort, a (good!) free realtime intrusion detection tool... On Sonntag, 20. Oktober 2002 11:45, Al Bogner wrote:
In /var/log/messages I see messages like
Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00 TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
I would like to see some whois data of the source IP in clear text and the destination port in clear text too. (Of course I know that 137 is the netbios-port)
Is there an analyzing tool for these messages? Maybe like webalizer?
Where can I define the log-file in FW2? I would like to have an own fw-logfile to have a better overview of the other messages
Albert
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
David, Achim,
Around a month ago I posted a similar message to this list and got some answers: - Achim Hoffmann sent me a Perl-script for making a readable file out of /var/log/firewall. e.g.: (remove the CRs) Log-entry: Oct 9 00:18:48 minasmorgul kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.142.58.48 DST=217.84.7.89 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=29088 DF PROTO=TCP SPT=57456 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB40000000001030300)
Headline plus generated text: Time Rule src-IP :port > dst-IP :port proto ttl id tos prec len -- payload --------+-------------------+----------------------+----------------------+----+---+-----+----+----+-----+---------- 00:18:48 DROP-DEFAULT 80.142.58.48 57456 > 217.84.7.89 4662 TCP 60 29088 0x00 0x00 60 -- WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB4000000000
I'm interesting to get this script. Could U post it on this list or send it me by mail. Thanks Franck
On Sun, 20 Oct 2002, Franck MAHE wrote:
David, Achim,
Around a month ago I posted a similar message to this list and got some answers: - Achim Hoffmann sent me a Perl-script for making a readable file out of [ .. ] I'm interesting to get this script. Could U post it on this list or send it me by mail.
ok, I'll post my basic script. Use it as is, or improve as you like (you need to adapt some variables first). If somebody improves it in a valuable way (means may be usefull for others), please send me changes. <comment to other suggestion to this thread>
kernel.info in /etc/syslog.conf this redirect all kernel messages of facility info to the specified file, not only those of iptables
.. snort .. does not make any sense for the questioner purpose (filtering iptables messages) </comment to other suggestion to this thread>
Script follows, Achim. ------------------------------------------- #! /usr/bin/perl #? #? NAME #? $0 - extract and format log messages of iptables #? #? SYNOPSIS #? $0 #? #? DESCRIPTION #? TBD #? #? AUTHOR #? 12-dec-01 ah@secure-net.de #? # ----------------------------------------------------------------------------- $SID = '@(#) extract_iptables_logs.pl 1.1 01/12/12 21:04:02'; $me = $0; $me =~ s:.*[/\\]([^/\\]+):$1:; if ("$ARGV[0]" eq '-h') { open(FID, $0) || warn "$0: WARNING: cannot read myself.\n"; while(<FID>) { s/\$0/$me/g; /^#\?(.*)$/ && print "$1\n"; } close(FID); exit( 0 ); } use Data::Dumper; $file = '/var/log/messages'; # <-- change as you need #$file = '/var/log/yy'; $ident = 'fw-scan:'; # <-- change as you need print "Time src-IP :port > dst-IP :port proto ttl id tos prec len -- payload\n"; print "--------+----------------------+----------------------+----+---+-----+----+----+-----+----------\n"; open( FID, "<$file" ) or die "*** $me cannot open '$file': $!"; while( <FID> ) { next if ! m/$ident/; $line = $_; &iphead_init(); $s_len = 13; # length to be spliced @fields = split( /\s+/, $line ); $mon = shift @fields; $day = shift @fields; $time = shift @fields; $host = shift @fields; $dumm = shift @fields; # should be kernel: $dumm = shift @fields; # should be fw-scan: $s_len++ if grep( /DF/i, @fields ); # see TCP examples below @head = splice( @fields, $s_len );# store IP header fields # @fields no contains payload foreach $f (@fields) { ($k,$v) = split( /=/, $f ); #dbx print "iphead{$k} = $v\n"; $iphead{$k} = $v; } #foreach $f (keys %iphead) { printf(" %5s: %s\n", $f, $iphead{$f}); } &p_iphead( $time, \%iphead, @head ); #print; } close FID; exit( 0 ); format IPHEAD_TOP = Time src-IP :port > dst-IP :port proto ttl id tos prec len ------------------------------------------------------------------------------------- . format = # time src-IP port > dst-IP port proto ttl id tos prec len @<<<<<<<< @<<<<<<<<<<<<<<< @<<<<< > @<<<<<<<<<<<<<<< @<<<<< @<<<< @<<< @<<<<< @<<<< @<<<< @<<<<< $time, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT},$p->{PROTO},$p->{TTL},$p->{ ID},$p->{TOS},$p->{PREC},$p->{LEN} . sub p_iphead { my ($t, $p, @f) = @_; #print Dumper($p); if ($p->{PROTO} eq 'TCP') { printf( "%8s %15s %-5s > %15s %-5s %4s %3s %5s %4s %4s %5s -- %s\n", $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT}, $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN}, join( ' ', @f ) ); } if ($p->{PROTO} eq 'ICMP') { printf( "%8s %15s T%-4s > %15s C%-4s %4s %3s %5s %4s %4s %5s -- %s\n", $t, $p->{SRC}, $p->{SPT}, $p->{DST}, $p->{DPT}, $p->{PROTO},$p->{TTL},$p->{ID},$p->{TOS},$p->{PREC},$p->{LEN}, join( ' ', @f ) ); } #select IPHEAD; #write; #foreach $k (keys %{$p}) { printf(" %5s: %s\n", $k, $p->{$k} ); } } sub iphead_init { # not really neaded, but in case of ... @idx = ('CODE', 'DF', 'DPT', 'DST', 'ID', 'IN', 'LEN', 'MAC', 'OUT', 'PREC', 'PROTO', 'SPT', 'SRC', 'TOS', 'TTL', 'TYPE',); foreach $k (@idx) { $iphead{$k} = '.'; } } __END__ # TCP example Dec 12 17:38:11 dent kernel: fw-scan: IN=eth0 OUT=eth1 SRC=212.43.239.134 DST=192.168.18.149 LEN=40 TOS=0x00 PREC=0x00 TTL=120 ID=5595 PROTO=TCP SPT=22 DPT=22 WINDOW=64858 RES=0x00 SYN URGP=0
- Achim Hoffmann sent me a Perl-script for making a readable file out of /var/log/firewall. e.g.: (remove the CRs)
On that topic, I made something similar. It takes a line from the log file (ipchains or iptables) and compresses the information into 80 chars per line. I find it invaluable when testing firewall rules, esp the iptables output is just plain illegible. Good for getting a quick overview too. http://volker.dnsalias.net/soft/script/iplogfilter It'll be added to the scriptutils package next time round. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
participants (7)
-
Achim Hoffmann -
Al Bogner -
David Huecking -
Franck MAHE -
Ralf Ronneburger -
Volker Kuhlmann -
Wolfgang Kueter