Re: [logs] firewall logging and rulesets

• Previous message: Tina Bird: "Re: [logs] firewall logging and rulesets"
• In reply to: Tina Bird: "[logs] firewall logging and rulesets"
• Next in thread: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Reply: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2003-10-21 at 20:10, Tina Bird wrote:
>
> i can imagine doing something kind of ugly like pushing a new copy of the
> ruleset into the system logs every time it changes, but i figured i should
> ask -- has anyone found a more elegant way of dealing with this problem?

Its *very* product specific, but with iptables you can do something like
this:

iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j LOG
--log-prefix " SYNFINSCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j REJECT
--reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
1433:1434 -j LOG --log-prefix " MS_SQL "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
1433:1434 -j REJECT --reject-with icmp-host-unreachable
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
17300 -j LOG --log-prefix " KUANG2_SCAN "
iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN -d 0/0 --dport
17300 -j REJECT --reject-with icmp-host-unreachable

and the logs come out looking like this:
Oct 19 07:58:36 gw1 kernel:  KUANG2_SCAN IN=eth0 OUT=eth1
SRC=172.170.221.49 DST=10.10.10.10 LEN=48 TOS=0x00 PREC=0x00 TTL=115
ID=37626 DF PROTO=TCP SPT=1899 DPT=17300 WINDOW=8192 RES=0x00 SYN URGP=0

Oct 19 10:52:03 gw1 kernel:  KUANG2_SCAN IN=eth0 OUT=eth1
SRC=69.132.76.152 DST=10.10.10.10 LEN=48 TOS=0x00 PREC=0x00 TTL=112
ID=32450 DF PROTO=TCP SPT=4579 DPT=17300 WINDOW=16384 RES=0x00 SYN
URGP=0

Makes it pretty clear as to what was dropped and why.

> in the long run, does it matter much?  that is, if i decide i need to make
> sense of a set of connections in six months or a year, do i really need to
> know what rule caused the action?

I personally have not run into this (usually pretty clear from the
traffic pattern as to why it was permitted or dropped) but what I do use
it for is daily log review. With all the above traffic patterns neatly
labeled, it becomes far easier to parse the logs with automated scripts
as well as setup keyword centralized alerting.

HTH,
Chris


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Andrew Sturman: "[logs] WinSyslog Long Syslog Message Denial of Service"
• Previous message: Tina Bird: "Re: [logs] firewall logging and rulesets"
• In reply to: Tina Bird: "[logs] firewall logging and rulesets"
• Next in thread: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Reply: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:20:53 PDT