LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-16-2011, 03:34 PM   #1
nkd
Member
 
Registered: Oct 2006
Location: india
Distribution: fedora 8, ubuntu 10.10
Posts: 315

Rep: Reputation: 34
detecting a port scan : using firewall logs


hi all,
I have a cisco firewall (asa 5520). It is logging the logs into a txt file on a syslog server. Unfortunately I donot have a log analysis software.
So I tried out the simple
Quote:
grep -e 'pattern' filename > newfile
to do a few analysis and extract meaningful data.
Now I wish to go a bit further and try to detect any port scanning activity that has taken place, from the txt file. Will that be possible using some command or series of commands at the shell prompt?

thanks in advance for any ideas
nishith
 
Old 10-16-2011, 08:14 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Without actual data (what does your text file look like?) you won't
get many meaningful answers, I'm afraid.


Cheers,
Tink
 
Old 10-17-2011, 01:18 PM   #3
nkd
Member
 
Registered: Oct 2006
Location: india
Distribution: fedora 8, ubuntu 10.10
Posts: 315

Original Poster
Rep: Reputation: 34
I understand that, so here is a tiny chunk of my 240 MB of log file :-
Quote:
2011-10-03 08:17:48 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/135.0.3.207(49166) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x356de492]

2011-10-03 08:17:48 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/135.0.3.207(49167) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x356de492]2011-10-03 08:19:23 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Ops(49249) -> outside/SCCM_Server(80) hit-cnt 1 first hit [0x416cc9ed, 0xc210de33]

2011-10-03 08:19:24 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Br(1214) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x3883536c]

2011-10-03 08:19:24 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Ops(49250) -> outside/SCCM_Server(80) hit-cnt 1 first hit [0x416cc9ed, 0xc210de33]

2011-10-03 08:19:25 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Br(1215) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x3883536c]

2011-10-03 08:19:25 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Ops(49251) -> outside/SCCM_Server(80) hit-cnt 1 first hit [0x416cc9ed, 0xc210de33]

2011-10-03 08:19:26 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Br(1216) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x3883536c]

2011-10-03 08:19:27 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Br(1217) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x3883536c]

2011-10-03 08:19:28 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/Br(1218) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x3883536c]
now my problem is without probably having to go through the tens of thousands of lines of log, can I use some kind of script or commandline tool to extract only relevant lines ( port scan traffic ) into some other file so that I may then go through only a sub set of the log and decide if it is a port scan under progress or otherwise !

thanks
nishith
 
Old 10-17-2011, 01:29 PM   #4
MANOHARNLINUX
LQ Newbie
 
Registered: Oct 2011
Posts: 9

Rep: Reputation: Disabled
Identify unique string in the log file in all lines which you want to filter. and use the following command.

grep "string" logfile > /tmp/outfile.
 
Old 10-17-2011, 01:50 PM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by nkd View Post
I understand that, so here is a tiny chunk of my 240 MB of log file :-


now my problem is without probably having to go through the tens of thousands of lines of log, can I use some kind of script or commandline tool to extract only relevant lines ( port scan traffic ) into some other file so that I may then go through only a sub set of the log and decide if it is a port scan under progress or otherwise !

thanks
nishith
I'm not familiar w/ that log format; the IPs it shows - are they always just
those pairs, basically ONE address? If so, it would be impossible to determine
whether or not you're under attack, as ALL traffic seems to be from there.



Cheers,
Tink
 
Old 10-17-2011, 02:23 PM   #6
nkd
Member
 
Registered: Oct 2006
Location: india
Distribution: fedora 8, ubuntu 10.10
Posts: 315

Original Poster
Rep: Reputation: 34
Quote:
the IPs it shows - are they always just
those pairs, basically ONE address?
not really ! I picked up a fragment of the log and so you see the ip's as same. The log contains of large number of ip's.

my problem is how to detect a portscan---it would have same source ip with incremental ports and syn requests sent to large number of different targets!
Now the question is how to create a search pattern with that criteria ?

thanks for all the response ?

bye
nishith
 
Old 10-17-2011, 02:34 PM   #7
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by nkd View Post
not really ! I picked up a fragment of the log and so you see the ip's as same. The log contains of large number of ip's.

my problem is how to detect a portscan---it would have same source ip with incremental ports and syn requests sent to large number of different targets!
Now the question is how to create a search pattern with that criteria ?

thanks for all the response ?

bye
nishith

Can you explain the layout of the network that we're looking at here?
Is this snippet outgoing or incoming traffic that's being blocked?


Code:
2011-10-03 08:17:48 Local0.Critical 135.0.0.4 135.0.0.4 %ASA-2-106100: access-list inside_access_in denied tcp inside/135.0.3.207(49166) -> outside/TrendMicroAntivirusServer(80) hit-cnt 1 first hit [0x416cc9ed, 0x356de492]
Can you elaborate on what the bits in colour are? While the names kind
of suggest that 135.x.x.x is internal, those IPs aren't in a private
range, which is kind of strange.


Cheers,
Tink
 
Old 10-18-2011, 05:57 AM   #8
nkd
Member
 
Registered: Oct 2006
Location: india
Distribution: fedora 8, ubuntu 10.10
Posts: 315

Original Poster
Rep: Reputation: 34
About the NW :-
I have a standalone NW which is in the address space of 135.0.0.0/24.
I have multiple VLANs configured on it - 135.0.1.0/24 , 135.0.13.0/24 and so on.
This NW is behind the firewall which is having the IP 135.0.0.4
I have created obj(ip address) gps in the firewall and given them identifiers like br, ops, etc. So you see these entries in
the rule.
The remaining is quite self explanatory.

regards
nishith
 
Old 10-18-2011, 09:35 PM   #9
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,333
Blog Entries: 12

Rep: Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729Reputation: 2729
I would be mildly surprised if you did not find evidence of port scanning activity.

Random port scans go on all the time everywhere.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Nessus scan and no port scan possible? memo007 Linux - Security 1 09-08-2008 07:21 PM
Reverse Firewall Port Scan wwnexc Linux - Networking 2 12-02-2005 09:52 AM
Firewall fails port scan test windz Linux - Security 3 08-01-2004 01:05 AM
Separate firewall logs and general logs dominant Linux - General 3 04-20-2004 02:26 AM
Microsoft ISA Firewall Returns Port Scan Warnings From Linux BIND DNS Servers. ramram29 Linux - Security 4 01-26-2004 11:09 PM


All times are GMT -5. The time now is 08:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration