Re: Advanced Logging

[Mart Frauenlob <mart.frauenlob@chello.at>]

On 03.06.2010 22:17, netfilter-owner@vger.kernel.org wrote:
> On 03.06.2010 20:15, ratheesh k wrote:
>> 2010/5/30 Tomáš Vlček <tomasvlcek@gmail.com>:
> 
> 
>>>>           I have implemented  firewall  in my linux machine using
>>>> iptables . It is able to prevent attacks and LOG just before dropping
>>>> packets . Since i know a little about iptables , i could go thru
>>>> /var/log/messages and find out information about attacks . Is there
>>>> any application which will analyze logs and  give a brief information
>>>> to user about the attacks  ?
>>>>
>>>> For example , suppose there was a syn flood attack ,the application
>>>> should analyse the /var/log/messages or by some means should know
>>>> about the attack and let the user know about that .If there is no
>>>> application ,  could you give some hints on how to develop an
>>>> application .Any comment is  appreciated .
> 
> 
>>> Maybe psad (Port Scan Attack Detector) is that what are you looking
>>> for. Check http://cipherdyne.org/psad/index.html.
>>
>> I gone through the link . It seems to be heavy for my embedded
> application .
>>
>> My embedded box is a router with two inerfaces - wan0 and lan0 . I
>> should get information regarding various attacks tried on lan clients
>> .I have some implementation in mind .(see below )
>>
>> 1  Is there any tool fit my requirement or  there any tool , i can do
>> a little  modification in code   and use .
>> 2 . Is my idea feasible to implement ? . Is it worth implementing ,
>> because it is run as part of softirq_rx kernel thread . Will it dampen
>> performance ?
>> 3 . Could i do this as part of connection tracking module . If , could
>> you guide  a little ?
>>
> snort (snort.org) comes into my mind here.
> afaik it has the ability to create inline iptables rules.
> maybe worth a look?
> 

Reading again, I think the answer was too short.

Doing it all on one embedded device might itself be not that safe.
Besides the effect that the resources maybe limited.
Saved logs on a compromised host could be modified.

Now if you simply analyze logs some time after the attack has happened
it may be a bit late, even if an application has sent you an email or
such, you might read it ~12 hours later.
In most cases you only catch the most obvious 'noisy' attack flood/scan.
Well you could send an abuse mail, worth the hassle?
You couldn't really do much interactively.

If you are after a pure iptables log message parser for a single host,
things might be limited to some awk/grep/shell/etc... script for pretty
printing.
Most things I've seen would at least require some webserver and/or
database in the background. Many focus on a larger scope/network.

You might just try a search on freshmeat.net or sf.net for i.e.
'iptables log analyzer' or similar.
I.e. I know arnos-iptables-firewall (not that I use that as my nf
generator) has a pretty printing script shipping with it.

So the next step would be some sort of IDS.
But this may also be overkill for your device. I can't tell.
Running a snort instance with inline functionality would give you not
just an opportunity to react to a wider range of attacks (L7) much more
gracefully, also there is a wide range of logging options (and backend
analyze tools available, which of course require more resources and
should be placed on separate hosts - i.e. BASE, or Prelude (with snort
as sensor)).
Doing only minimal text logging for important events might give enough
information without overloading your device.

Just some thoughts.
Hope it helps.

Mart