Run a userspace script upon rule matching?

Run a userspace script upon rule matching?

[tobi]

Hello list

my first post here so I hope I do not ask something which is so clear
that I doesn't have to be asked ;-)
As mentioned in subject I want to run an external script upon matching
of a certain rule. but I have no idea how or even if it's possible at
all. I could achieve the "same" by loging those rules to the syslog and
regularly running a cron script that checks for those loglines. But it
would be much easier if I could tell netfilter to call an external
script upon matching.

thanks for any hints and tipps

tobi

Re: Run a userspace script upon rule matching?

[Andrew Beverley]

On Thu, 2012-03-08 at 13:45 +0100, tobi wrote:
> As mentioned in subject I want to run an external script upon matching
> of a certain rule.

I'm not aware of any way to do that. What exactly do you want to
achieve? It may be that there is another way of doing what you want.

Andy

Re: Run a userspace script upon rule matching?

[Abhi Devireddy]

I'm fairly new to netfilter as well and this might or might not be helpful.

The netfilter hacking document available here:
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO.txt

Talks about the various hooks that a program can register for. Maybe
that would be a feasible way of calling a script.
The flow might look something like this: Call hook on packet receive
>> Check against filters >> [Perform your operations] >> Send out one
of the 5 status for what to do next. (NF_ACCEPT, NF_DROP, ...)

I was in the same boat trying to find something that would call a
remote API endpoint for all packets that matched a filter.

Hope that helps,
Abhi

On Thu, Mar 8, 2012 at 11:19 AM, Andrew Beverley <andy@andybev.com> wrote:
> On Thu, 2012-03-08 at 13:45 +0100, tobi wrote:
>> As mentioned in subject I want to run an external script upon matching
>> of a certain rule.
>
> I'm not aware of any way to do that. What exactly do you want to
> achieve? It may be that there is another way of doing what you want.
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Run a userspace script upon rule matching?

[tobi]

Am 08.03.2012 18:19, schrieb Andrew Beverley:
> On Thu, 2012-03-08 at 13:45 +0100, tobi wrote:
>> As mentioned in subject I want to run an external script upon matching
>> of a certain rule.
> I'm not aware of any way to do that. What exactly do you want to
> achieve? It may be that there is another way of doing what you want.
>
> Andy
>
>
okay more details about my intention: I got a script that checks some 
logs and acts upon violation by adding IPs to a sperate chain via 
iptables -A OFFENDERS -s IP -j DROP. So such IPs get blocked. Now I 
thought about how could I find out if IPs from OFFENDERS come again. So 
I put another chain to iptables (before the OFFENDERS), put the IPs from 
OFFENDERS and set the log target for each rule. But then I need a script 
that reads the logs and searches for IPs from OFFENDERS. Too complex for 
me :-)
So I thought it should somehow be possible to achieve that quite easy IF 
I could add a script to be executed when a rule (that now goes to log 
target) matches. Thats were I stand now :-)
All I "need" would be a way to excute a simple mailx command with the 
offending IP and send a mail to myself

Thanks for any input and ideas

tobi

Re: Run a userspace script upon rule matching?

[Andrew Beverley]

On Thu, 2012-03-08 at 22:47 +0100, tobi wrote:
> okay more details about my intention: I got a script that checks some 
> logs and acts upon violation by adding IPs to a sperate chain via 
> iptables -A OFFENDERS -s IP -j DROP. So such IPs get blocked. Now I 
> thought about how could I find out if IPs from OFFENDERS come again. So 
> I put another chain to iptables (before the OFFENDERS), put the IPs from 
> OFFENDERS and set the log target for each rule. But then I need a script 
> that reads the logs and searches for IPs from OFFENDERS. Too complex for 
> me :-)
> So I thought it should somehow be possible to achieve that quite easy IF 
> I could add a script to be executed when a rule (that now goes to log 
> target) matches. Thats were I stand now :-)
> All I "need" would be a way to excute a simple mailx command with the 
> offending IP and send a mail to myself

Okay, a few ideas then:

1. Log the packets with a specific prefix, and use rsyslog with the Mail
Output Module and relevant configuration to alert you to such logs:

http://www.rsyslog.com/doc/ommail.html

2. Use ULOGD. Never really used it myself, but you might be able to
create some sort of userspace program that alerts you.

3. Log the IP addresses to an IPSET, and use a cron job to check the
list of IP addresses in the set.

Just thoughts, but hopefully one of the above will work.

Andy

Re: Run a userspace script upon rule matching?

[tobi]

Am 08.03.2012 23:02, schrieb Andrew Beverley:
> On Thu, 2012-03-08 at 22:47 +0100, tobi wrote:
>> okay more details about my intention: I got a script that checks some
>> logs and acts upon violation by adding IPs to a sperate chain via
>> iptables -A OFFENDERS -s IP -j DROP. So such IPs get blocked. Now I
>> thought about how could I find out if IPs from OFFENDERS come again. So
>> I put another chain to iptables (before the OFFENDERS), put the IPs from
>> OFFENDERS and set the log target for each rule. But then I need a script
>> that reads the logs and searches for IPs from OFFENDERS. Too complex for
>> me :-)
>> So I thought it should somehow be possible to achieve that quite easy IF
>> I could add a script to be executed when a rule (that now goes to log
>> target) matches. Thats were I stand now :-)
>> All I "need" would be a way to excute a simple mailx command with the
>> offending IP and send a mail to myself
> Okay, a few ideas then:
>
> 1. Log the packets with a specific prefix, and use rsyslog with the Mail
> Output Module and relevant configuration to alert you to such logs:
That's how I actually do it: Log it with a prefix, I just use syslog-ng
>
> http://www.rsyslog.com/doc/ommail.html
>
> 2. Use ULOGD. Never really used it myself, but you might be able to
> create some sort of userspace program that alerts you.
I tried to find information whether ULOGD can really execute external 
commands. For me sounds more like loggin to databases. But while 
googling for ULOGD I found spectre, which seems to have an built-in 
plugin EXEC which can run commands. I will give spectre the first chance 
and if it's not working I try with ULOGD
> 3. Log the IP addresses to an IPSET, and use a cron job to check the
> list of IP addresses in the set.
>
> Just thoughts, but hopefully one of the above will work.
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Thanks a lot for your ideas. I think I can somehow achieve it. Although 
I do not know for sure which way to take. First try spectre

Cheers

tobi