LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-14-2008, 06:25 AM   #1
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 870

Rep: Reputation: 43
Need help understanding log entries


Ladies & Gents

I am trying to make sense of what I am seeing in my logs but I am not finding the answers I am looking for via google. Most of the entries in my logs look like the ones below. The problem is that I don't understand what these lines mean.

Code:
Dec 13 14:13:24 hiveserver kernel: [896006.906172] Inbound IN=eth1 OUT= MAC=00:40:05:08:23:ff:00:13:5f:06:6d:05:08:00
SRC=38.117.69.88 DST=xx.xx.xx.xx LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=38381 PROTO=UDP
SPT=63690 DPT=61524 LEN=111

or

Dec 13 14:13:26 hiveserver kernel: [896008.712367] Inbound IN=eth1 OUT= MAC= SRC=xx.xx.xx.xx DST=96.42.155.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138
LEN=22
I get what some of the parts mean like 'inbound, IN, src, etc. Let's take TOS=0x00, I get that it is the type of service, http or what ever, but what service is associated with 0x00? I assume that LEN is length, TTL is time to live. Don't know PREC, ID, DF, PROTO, LEN, DPT. I haven't been able to find the page I saw one day that had a basic description, though limited, of what some of them were. Does any one have a link to such a page?

I also notice that in the first example there is a mac that is 14 pairs long. All of the mac's I have had to deal with are much shorter than that. Is this a spoofed mac? Or maybe part of the new ip6?

Most of the time these hourly emails are 3 to 5k in size but some times they are 15 to 20k. Usually there are 2 or 3 comps accessing the web through my router but there may be twice that many at any one time. I suppose a little info about the router is in order. Debian Lenny Up to date as of last week. Firestarter built the firewall but their is some kind of bug in the gui that causes the gui to crash all the time but the rules keep working and so far I have had no problems that I know of.

The biggest question is 'Are these log entries something to be concerned about or not?'

If not, then how do I stop them from filling up my logs?

Thanks
 
Old 12-14-2008, 07:38 AM   #2
colucix
LQ Guru
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976Reputation: 1976
These entries are common iptables/netfilter logs. You made me to realize that it's not easy to find a complete documentation about the log format, or at least I was not able to find it out. Anyway, I found this page which can answer some of your questions (the length of the MAC address, for example).
 
Old 12-14-2008, 07:44 AM   #3
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Rep: Reputation: 38
PROTO, LEN, DPT

Proto is protcol, tcp, udp, icmp,...

LEN is length of packet

DPT is destination port

For TOS (Type of Service), see Wiki article http://en.wikipedia.org/wiki/Type_of_Service

DF may be `don't fragment'

To turn off the logging, you'll have to edit your firewall rules, this can be both tricky and daunting, specially on a production server.
 
Old 12-14-2008, 08:00 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Nice doc, also see http://iptables-tutorial.frozentux.n...-tutorial.html.

As for the first log line it's inbound UDP with both ports are ephemeral, so there's not much to say about impact unless you know what service it was attached to (think output of 'netstat -anupe'). The second line at least has port 138 so 'getent services 138' should show it's SMB-ish traffic. Also note that you can use for instance the Dshield database to see if incoming packets are from well-known offenders. Finally for entries that don't reveal typical scan flags, scanning behaviour or use known ports you don't get much info unless you examine the payload. That could easily be done running an IDS like Snort.

Wrt logging, if you have it you probably have it for good reasons, so turning it off for arbitrary reasons like it being a nuisance is not what I would suggest. Better tweak *what* you log.
 
Old 12-14-2008, 02:32 PM   #5
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 870

Original Poster
Rep: Reputation: 43
Thanks colucix that really helped with the mac thing and should help with some of the others too when I get a chance to dig into it.

x terminat or 3 Thanks I hadn't thought about looking at the wiki. I still am not getting my mind around how the whole number thing works.

unSpawn I ran 'netstat -anupe' but I don't know how to use that info to parse the log file to find a connection between the two. I am assuming that I would need to use current entries in the log file to match up with the results of the command.

'getent services 138' yielded 'netbios-dgm 138/tcp' but there again I don't know what to make of it except that in this instance tcp is using port 138.

Am I understanding that this logging is wrt logging? I did not enable it, so it must have been done by one of the security packages I installed, firestarter, snort, logcheck, or one of the others that I can't recall at the moment.

I am not sure that I want to change the way the logs are done right now. What I really want is to learn to understand what they are telling me. These log entries came from the second linux router I set up and I am trying to become reasonably competent in maintaining one while I set up the next one, which will be my production unit.

I can tell by some of these entries that they are related to activity originating form my network. Is it possible to tell from these type of entries if this is someone trying to break into my router?

Once again thank for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
a command or way to log time of iptables LOG entries? dividingbyzero Linux - Security 3 06-06-2008 02:23 AM
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 05:13 PM
Using postfix MTA and need help understanding some entries Stratholm Linux - Software 2 12-28-2005 01:37 PM
Understanding var/log entries Boss Hoss Linux - Hardware 14 10-14-2004 03:20 PM


All times are GMT -5. The time now is 11:45 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration