Re: [logs] log analysis of netfilter entries?

From: Chris Brenton (cbrentonat_private)
Date: Fri Dec 07 2001 - 18:26:40 PST

Next message: todd glassey: "Re: Re[2]: [logs] Due Diligence for Admission in Court"

Previous message: terry white: "RE: [logs] log analysis of netfilter entries?"
In reply to: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Next in thread: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Next in thread: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
Reply: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steve Wray wrote:
> 
> This sounded fantastic until I tried it.
> You know what? Its in the man page, but when I try to use
> it I get;
> iptables v1.2.2: Unknown arg `--log-prefix`

Are you using it with the '-j LOG' switch? Here is some of mine:

iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "
SYNFINSCAN "
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "
NULLSCAN "
iptables -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG
--log-prefix " NMAPXMAS "
iptables -A FORWARD -p icmp -f -j LOG --log-prefix " ICMPFRAG "
iptables -A FORWARD -p tcp -s 0/0 --sport 31789 -d 0/0 --dport 31789 -j
LOG --log-prefix " HACKATACK "
iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG
--log-prefix " NETBUS "
iptables -A FORWARD -p tcp -d 12.33.246.0/23 --dport 1080 -j LOG
--log-prefix " PROXYSCAN "
iptables -A FORWARD -p tcp -d 12.33.246.0/23 --dport 8080 -j LOG
--log-prefix " PROXYSCAN "
iptables -A FORWARD -p tcp -d 0/0 --dport 110 -j LOG --log-prefix "
POP3SCAN "
iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 500 -j LOG --log-prefix
" IPSEC "
iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80 --tcp-flags ACK ACK
-m string --string "/_vti_rpc" -j LOG --log-prefix " FRONTPAGE_VTI_RPC "

So the log entries come out looking something like this:
Nov 27 01:26:57 gw2 kernel:  SYNFINSCAN IN=eth0 OUT=eth3
SRC=64.39.29.147 DST=X.X.X.2 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=39426
PROTO=TCP SPT=111 DPT=111 WINDOW=1028 RES=0x00 SYN FIN URGP=0   

Then I just do a:
grep SYNFINSCAN messages > synfinscan.txt
grep -v SYNFINSCAN messages > messages.new

I then continue as above stripping out known traffic patterns till the
only thing left to review is new stuff.

Another thing people may find interesting is Bill Stearns is working on
integrating the p0f passive fingerprint database into Netfilter as a
module. Once complete, Netfilter log entries will also contain a text
string which ID's the transmitting operating system.

HTH,
Chris
-- 
**************************************
cbrentonat_private

$ chown -R us:us yourbase

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: todd glassey: "Re: Re[2]: [logs] Due Diligence for Admission in Court"
Previous message: terry white: "RE: [logs] log analysis of netfilter entries?"
In reply to: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Next in thread: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Next in thread: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
Reply: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:54:54 PST