RE: [logs] log analysis of netfilter entries?

From: Steve Wray (steve.wrayat_private)
Date: Sat Dec 08 2001 - 14:28:30 PST

Next message: emf: "[logs] Complex logsurfer rules?"

Previous message: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
In reply to: Chris Brenton: "Re: [logs] log analysis of netfilter entries?"
Next in thread: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Steve Wray wrote:
> > 
> > This sounded fantastic until I tried it.
> > You know what? Its in the man page, but when I try to use
> > it I get;
> > iptables v1.2.2: Unknown arg `--log-prefix`
> 
> Are you using it with the '-j LOG' switch? Here is some of mine:

Thanks all, for the help, yeah I was using --log-prefix with a target
-j LD, where LD is defined as LOG then DROP...
Have to use --log-prefix with a seperate rule instead...
:)


 
> iptables -A FORWARD -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix "
> SYNFINSCAN "
> iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "
> NULLSCAN "
> iptables -A FORWARD -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG
> --log-prefix " NMAPXMAS "
> iptables -A FORWARD -p icmp -f -j LOG --log-prefix " ICMPFRAG "
> iptables -A FORWARD -p tcp -s 0/0 --sport 31789 -d 0/0 --dport 31789 -j
> LOG --log-prefix " HACKATACK "
> iptables -A FORWARD -p tcp -d 0/0 --dport 12345:12346 -j LOG
> --log-prefix " NETBUS "
> iptables -A FORWARD -p tcp -d 12.33.246.0/23 --dport 1080 -j LOG
> --log-prefix " PROXYSCAN "
> iptables -A FORWARD -p tcp -d 12.33.246.0/23 --dport 8080 -j LOG
> --log-prefix " PROXYSCAN "
> iptables -A FORWARD -p tcp -d 0/0 --dport 110 -j LOG --log-prefix "
> POP3SCAN "
> iptables -A FORWARD -p udp -s 0/0 -d 0/0 --dport 500 -j LOG --log-prefix
> " IPSEC "
> iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80 --tcp-flags ACK ACK
> -m string --string "/_vti_rpc" -j LOG --log-prefix " FRONTPAGE_VTI_RPC "
> 
> So the log entries come out looking something like this:
> Nov 27 01:26:57 gw2 kernel:  SYNFINSCAN IN=eth0 OUT=eth3
> SRC=64.39.29.147 DST=X.X.X.2 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=39426
> PROTO=TCP SPT=111 DPT=111 WINDOW=1028 RES=0x00 SYN FIN URGP=0   
> 
> Then I just do a:
> grep SYNFINSCAN messages > synfinscan.txt
> grep -v SYNFINSCAN messages > messages.new
> 
> I then continue as above stripping out known traffic patterns till the
> only thing left to review is new stuff.
> 
> Another thing people may find interesting is Bill Stearns is working on
> integrating the p0f passive fingerprint database into Netfilter as a
> module. Once complete, Netfilter log entries will also contain a text
> string which ID's the transmitting operating system.
> 
> HTH,
> Chris
> -- 
> **************************************
> cbrentonat_private
> 
> $ chown -R us:us yourbase
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: emf: "[logs] Complex logsurfer rules?"
Previous message: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
In reply to: Chris Brenton: "Re: [logs] log analysis of netfilter entries?"
Next in thread: Alexander Gretencord: "Re: [logs] log analysis of netfilter entries?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 11:59:06 PST