event-driven connection tracking

event-driven connection tracking

[Mr Dash Four]

Is it possible to use event-driven connection tracking - with 
conntrack-utils or by other means?

Ideally, what I would like to do is 'register' a handler for particular 
connection events (when new connection is established and then closed 
for example) based on particular pre-defined filter (say, by protocol, 
source/destination ip etc) and execute a program code/function (if done 
programmatically) or a script (if done outside the connection-tracking 
domain) to do what I want?

Currently, the only way to track such 'events' is if I include a 
separate chain in iptables tracking a particular connection (and logging 
the event via a normal log jump), but that is not enough for me as I 
also need to trigger a full dump based on that particular 'filter' and 
end this dump when the connection is closed. Any ideas?

Re: event-driven connection tracking

[Jan Engelhardt]

On Wednesday 2010-10-13 17:24, Mr Dash Four wrote:

> Is it possible to use event-driven connection tracking - with conntrack-utils
> or by other means?
>
> Ideally, what I would like to do is 'register' a handler for particular
> connection events (when new connection is established and then closed for
> example) based on particular pre-defined filter (say, by protocol,
> source/destination ip etc) and execute a program code/function (if done
> programmatically) or a script (if done outside the connection-tracking domain)
> to do what I want?

conntrack -Ee NEW,DESTROY

would list you the specified events as they happen. Combined with a 
script that reacts when a new line is outputted by conntrack should
do the trick.

Re: event-driven connection tracking

[Mr Dash Four]

>> Is it possible to use event-driven connection tracking - with conntrack-utils
>> or by other means?
>>
>> Ideally, what I would like to do is 'register' a handler for particular
>> connection events (when new connection is established and then closed for
>> example) based on particular pre-defined filter (say, by protocol,
>> source/destination ip etc) and execute a program code/function (if done
>> programmatically) or a script (if done outside the connection-tracking domain)
>> to do what I want?
>>     
>
> conntrack -Ee NEW,DESTROY
>
> would list you the specified events as they happen. Combined with a 
> script that reacts when a new line is outputted by conntrack should
> do the trick.
>   
That's not what I am after!

If I want to poll a text output every-so-often I can use 
/proc/net/nf_conntrack for that. I am after event-driven tracking 
(without the polling!), informing me when the conditions I initially set 
are satisfied (connection status, source IP, destination IP etc) and I 
pick up the rest (again, via a program interface or a script if there is 
no other choice). A bit like (ng-)cron, but with set filters which 
trigger the events (as oppose to timing as is the case with cron).

Re: event-driven connection tracking

[Jan Engelhardt]

On Thursday 2010-10-14 00:18, Mr Dash Four wrote:
>>> Is it possible to use event-driven connection tracking - with conntrack-utils
>>> or by other means?
>>> Ideally, what I would like to do is 'register' a handler for particular
>>> connection events (when new connection is established and then closed for
>>> example) based on particular pre-defined filter (say, by protocol,
>>> source/destination ip etc) and execute a program code/function (if done
>>> programmatically) or a script (if done outside the connection-tracking
>>> domain)
>>> to do what I want?
>>
>> conntrack -Ee NEW,DESTROY
>>
>> would list you the specified events as they happen. Combined with a script
>> that reacts when a new line is outputted by conntrack should
>> do the trick.
>>  
> That's not what I am after!
>
> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack

-E is event driven. (That's why it's got the "E".)

Re: event-driven connection tracking

[Pablo Neira Ayuso]

On 13/10/10 17:24, Mr Dash Four wrote:
> Is it possible to use event-driven connection tracking - with
> conntrack-utils or by other means?
> 
> Ideally, what I would like to do is 'register' a handler for particular
> connection events (when new connection is established and then closed
> for example) based on particular pre-defined filter (say, by protocol,
> source/destination ip etc) and execute a program code/function (if done
> programmatically) or a script (if done outside the connection-tracking
> domain) to do what I want?
> Currently, the only way to track such 'events' is if I include a
> separate chain in iptables tracking a particular connection (and logging
> the event via a normal log jump), but that is not enough for me as I
> also need to trigger a full dump based on that particular 'filter' and
> end this dump when the connection is closed. Any ideas?

You can use libnetfilter_conntrack for that:
http://www.netfilter.org/projects/libnetfilter_conntrack/index.html

There are several examples under utils/ in the tarballs that are
distributed.

Re: event-driven connection tracking

[Pablo Neira Ayuso]

On 14/10/10 00:56, Jan Engelhardt wrote:
> 
> On Thursday 2010-10-14 00:18, Mr Dash Four wrote:
>>>> Is it possible to use event-driven connection tracking - with conntrack-utils
>>>> or by other means?
>>>> Ideally, what I would like to do is 'register' a handler for particular
>>>> connection events (when new connection is established and then closed for
>>>> example) based on particular pre-defined filter (say, by protocol,
>>>> source/destination ip etc) and execute a program code/function (if done
>>>> programmatically) or a script (if done outside the connection-tracking
>>>> domain)
>>>> to do what I want?
>>>
>>> conntrack -Ee NEW,DESTROY
>>>
>>> would list you the specified events as they happen. Combined with a script
>>> that reacts when a new line is outputted by conntrack should
>>> do the trick.
>>>  
>> That's not what I am after!
>>
>> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack
> 
> -E is event driven. (That's why it's got the "E".)

Indeed, if you're looking for a tool to listen to event-driven conntrack
notifications, then what Jan suggests is the correct approach. If you
want to make your own handling application, you can use
libnetfilter_conntrack.

For logging, you can use ulogd2.

Re: event-driven connection tracking

[Mr Dash Four]

>> Is it possible to use event-driven connection tracking - with
>> conntrack-utils or by other means?
>>
>> Ideally, what I would like to do is 'register' a handler for particular
>> connection events (when new connection is established and then closed
>> for example) based on particular pre-defined filter (say, by protocol,
>> source/destination ip etc) and execute a program code/function (if done
>> programmatically) or a script (if done outside the connection-tracking
>> domain) to do what I want?
>> Currently, the only way to track such 'events' is if I include a
>> separate chain in iptables tracking a particular connection (and logging
>> the event via a normal log jump), but that is not enough for me as I
>> also need to trigger a full dump based on that particular 'filter' and
>> end this dump when the connection is closed. Any ideas?
>>     
>
> You can use libnetfilter_conntrack for that:
> http://www.netfilter.org/projects/libnetfilter_conntrack/index.html
>   
THAT is exactly what I was after - program interface through which I can 
register the events I am interested in and handle them in my own way.

> There are several examples under utils/ in the tarballs that are
> distributed.
>   
Yep, conntrack_events.c and expect_events.c seem to be a good match and 
provide me with a decent skeleton on which to base my own code. Thanks 
for your input, much appreciated.

Re: event-driven connection tracking

[Mr Dash Four]

>>>> conntrack -Ee NEW,DESTROY
>>>>
>>>> would list you the specified events as they happen. Combined with a script
>>>> that reacts when a new line is outputted by conntrack should
>>>> do the trick.
>>>>  
>>>>         
>>> That's not what I am after!
>>>
>>> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack
>>>       
>> -E is event driven. (That's why it's got the "E".)
>>     
>
> Indeed, if you're looking for a tool to listen to event-driven conntrack
> notifications, then what Jan suggests is the correct approach. If you
> want to make your own handling application, you can use
> libnetfilter_conntrack.
>   
Making my own handling application was the preferred way, though I would 
have settled for text-based notifications through the stdin pipe (a bit 
clumsy, but doable). As it turns out libnetfilter_conntrack seems to 
provide me with what I need, so I would settle for that.

Another constraint I have (which I did not mention in my initial post) 
is that, for various reasons, I am using the 2.6.16.60 kernel - the 
libnetfilter_conntrack requirements suggest I can get away with it, is 
there anything in particular I should be aware of when installing/using 
this package with this kernel version (no, I am not in a position to 
upgrade - not yet!)?

> For logging, you can use ulogd2.
>   
I have been doing the logging and it is not what I need as the 'action' 
I take depends on what I find in the event matches - sometimes it is 
necessary to just log the necessary data, but sometimes I would need to 
initiate process scanning and full packet dumps on a particular 
connection - for that to just use logging won't be enough.

Re: event-driven connection tracking

[Pablo Neira Ayuso]

On 14/10/10 15:26, Mr Dash Four wrote:
> Another constraint I have (which I did not mention in my initial post)
> is that, for various reasons, I am using the 2.6.16.60 kernel - the
> libnetfilter_conntrack requirements suggest I can get away with it, is
> there anything in particular I should be aware of when installing/using
> this package with this kernel version (no, I am not in a position to
> upgrade - not yet!)?

Recommended kernel version is >= 2.6.18 (that's on the website and
docs). With such an old kernel version, I think that you may have
problems with NAT conntrack entries.

Let me know anyway how it goes, it would be interesting to know.