Need help understanding log entries

rbees · 12-14-2008, 05:25 AM

Ladies & Gents

I am trying to make sense of what I am seeing in my logs but I am not finding the answers I am looking for via google. Most of the entries in my logs look like the ones below. The problem is that I don't understand what these lines mean.

Code:

Dec 13 14:13:24 hiveserver kernel: [896006.906172] Inbound IN=eth1 OUT= MAC=00:40:05:08:23:ff:00:13:5f:06:6d:05:08:00
SRC=38.117.69.88 DST=xx.xx.xx.xx LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=38381 PROTO=UDP
SPT=63690 DPT=61524 LEN=111

or

Dec 13 14:13:26 hiveserver kernel: [896008.712367] Inbound IN=eth1 OUT= MAC= SRC=xx.xx.xx.xx DST=96.42.155.255 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138
LEN=22

I get what some of the parts mean like 'inbound, IN, src, etc. Let's take TOS=0x00, I get that it is the type of service, http or what ever, but what service is associated with 0x00? I assume that LEN is length, TTL is time to live. Don't know PREC, ID, DF, PROTO, LEN, DPT. I haven't been able to find the page I saw one day that had a basic description, though limited, of what some of them were. Does any one have a link to such a page?

I also notice that in the first example there is a mac that is 14 pairs long. All of the mac's I have had to deal with are much shorter than that. Is this a spoofed mac? Or maybe part of the new ip6?

Most of the time these hourly emails are 3 to 5k in size but some times they are 15 to 20k. Usually there are 2 or 3 comps accessing the web through my router but there may be twice that many at any one time. I suppose a little info about the router is in order. Debian Lenny Up to date as of last week. Firestarter built the firewall but their is some kind of bug in the gui that causes the gui to crash all the time but the rules keep working and so far I have had no problems that I know of.

The biggest question is 'Are these log entries something to be concerned about or not?'

If not, then how do I stop them from filling up my logs?

Thanks

colucix · 12-14-2008, 06:38 AM

These entries are common iptables/netfilter logs. You made me to realize that it's not easy to find a complete documentation about the log format, or at least I was not able to find it out. Anyway, I found this page which can answer some of your questions (the length of the MAC address, for example).

x_terminat_or_3 · 12-14-2008, 06:44 AM

PROTO, LEN, DPT

Proto is protcol, tcp, udp, icmp,...

LEN is length of packet

DPT is destination port

For TOS (Type of Service), see Wiki article http://en.wikipedia.org/wiki/Type_of_Service

DF may be `don't fragment'

To turn off the logging, you'll have to edit your firewall rules, this can be both tricky and daunting, specially on a production server.

unSpawn · 12-14-2008, 07:00 AM

Nice doc, also see http://iptables-tutorial.frozentux.n...-tutorial.html.

As for the first log line it's inbound UDP with both ports are ephemeral, so there's not much to say about impact unless you know what service it was attached to (think output of 'netstat -anupe'). The second line at least has port 138 so 'getent services 138' should show it's SMB-ish traffic. Also note that you can use for instance the Dshield database to see if incoming packets are from well-known offenders. Finally for entries that don't reveal typical scan flags, scanning behaviour or use known ports you don't get much info unless you examine the payload. That could easily be done running an IDS like Snort.

Wrt logging, if you have it you probably have it for good reasons, so turning it off for arbitrary reasons like it being a nuisance is not what I would suggest. Better tweak *what* you log.

rbees · 12-14-2008, 01:32 PM

Thanks colucix that really helped with the mac thing and should help with some of the others too when I get a chance to dig into it.

x terminat or 3 Thanks I hadn't thought about looking at the wiki. I still am not getting my mind around how the whole number thing works.

unSpawn I ran 'netstat -anupe' but I don't know how to use that info to parse the log file to find a connection between the two. I am assuming that I would need to use current entries in the log file to match up with the results of the command.

'getent services 138' yielded 'netbios-dgm 138/tcp' but there again I don't know what to make of it except that in this instance tcp is using port 138.

Am I understanding that this logging is wrt logging? I did not enable it, so it must have been done by one of the security packages I installed, firestarter, snort, logcheck, or one of the others that I can't recall at the moment.

I am not sure that I want to change the way the logs are done right now. What I really want is to learn to understand what they are telling me. These log entries came from the second linux router I set up and I am trying to become reasonably competent in maintaining one while I set up the next one, which will be my production unit.

I can tell by some of these entries that they are related to activity originating form my network. Is it possible to tell from these type of entries if this is someone trying to break into my router?

Once again thank for the help.