LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-26-2005, 09:46 AM   #1
G-Fox
Member
 
Registered: Jul 2003
Location: Lithuania
Posts: 45

Rep: Reputation: 15
Question What is the best way to log traffic trough firewall?


Hello, everybody who read this message

What is the best way to log traffic trough firewall?
I have linux box with NAT (one external ip) and get mail from my ISP what my external ip is infected by virus. They sent my logs of virus activity, but in my linux box I don't make any logs and can't find which internal pc is infected... So I decided to start logging everything to find out in future witch pc is infected.

Thanks for any answer.
 
Old 04-26-2005, 11:41 AM   #2
weegolo
LQ Newbie
 
Registered: Apr 2005
Location: Singapore
Distribution: Fedora Core 2 & 3
Posts: 12

Rep: Reputation: 0
That depends....

First of all, did they tell you what virus they think you have? If so, go to one of the anti-virus vendors' websites (e.g. www.sarc.com) and search for that particular virus - it should tell you many details about how you can tell if you're infected, and so on. I presume the internal boxes are Windows boxes?

Secondly, many viruses fake the senders' address: so just because the ISP thinks you're infected doesn't mean you are. Again, the description of the particular virus on the a-v vendor's website should tell you whether or not it behaves like this.

Alternatively, log in as root and run 'tethereal' (you may need to install it first). That shows you what packets are going through your network interfaces - it's probably easier to do this here than at the firewall. If you know what you're looking for (you say the ISP sent you sample logs?), then pipe the output through grep and you'll see what's happening soon enough.

For example:
root> tethereal -i eth0 | grep 69.50.188.180
...(where eth0 is your outside interface) should show up traffic to the ip address 69.50.188.180, which is a potential symptom of Trojan.Flush.C, which Symantec currently report as one of the top five virus threats.

However if you do want to log outgoing traffic at the firewall, then that depends on which firewall you use. I use iptables, and I would do something like this:

iptables -A INPUT -i $internal_interface -m state --state NEW -j LOG --log-prefix "IPT_NEW_INT: "
iptables -A INPUT -i $internal_interface -m state --state NEW -j ACCEPT

The first line logs the traffic, the second line allows it through.

then just keep an eye on the logs:
root> tail -f /var/log/messages | grep IPT_NEW_INT
...should show up any new outbound connections being initiated. This is my least recommended method of checking, as it's the least likely to succeed.

If you tell us which virus they think you have, someone can tell you in a bit more detail what sort of thing to look for.

Hope this helps
Weegolo
 
Old 04-26-2005, 02:10 PM   #3
G-Fox
Member
 
Registered: Jul 2003
Location: Lithuania
Posts: 45

Original Poster
Rep: Reputation: 15
>I presume the internal boxes are Windows boxes?
Yes, you are right. There are Windows boxes.

ISP sed that I am infected with ToosoG and Bagle.BB

This is log example from my ISP:

Apr 20 2005 22:53:20 0 TCP x.x.x.x:1266 ->
210.51.168.59:80 2 80 B
Apr 20 2005 22:53:28 0 TCP x.x.x.x:1275 ->
81.169.145.70:80 5 393 B
Apr 20 2005 22:53:25 0 TCP x.x.x.x:1272 ->
195.20.225.126:80 5 396 B
Apr 20 2005 22:53:27 0 TCP x.x.x.x:1274 ->
192.67.198.55:80 5 396 B
Apr 20 2005 22:53:29 0 TCP x.x.x.x:1276 ->
192.67.198.7:80 6 452 B

x.x.x.x my external ip.

>root> tethereal -i eth0 | grep 69.50.188.180
I am not an expert, but I think I can do same with 'tcpdump' if I am not right, please correct me.

For my firewall I use iptables too.
Imagine there are 150 Windows boxs and traffic is quite big. Linux box (router) have Celeron 633MHz CPU. Will it be enought for such job (log traffic with iptables from 150 boxs)?

Thanks for your help Weegolo. I appreciate it.
 
Old 04-26-2005, 07:52 PM   #4
weegolo
LQ Newbie
 
Registered: Apr 2005
Location: Singapore
Distribution: Fedora Core 2 & 3
Posts: 12

Rep: Reputation: 0
Oh well, if you've got 150 Windows boxes, then OF COURSE you have a virus somewhere! :-)

Those two viruses don't fake sources, so if your ISP says it's seen virus traffic from your network, it's probably right.

More details on the particular viruses are available at:
http://securityresponse.symantec.com...n.tooso.g.html
http://securityresponse.symantec.com...gle.av@mm.html
(Despite the slight difference in the name - Bagle.BB to Beagle.AV - they are the same virus. Your ISP is using McAfee, this info comes from Symantec, and they can't always agree on virus names)

Symantec says that, once every six hours, Tooso.g will try to download a file called "_re_file.exe" from an external site. I'm not sure about the log volumes - you may be right, doing it on iptables may be too much for your box. Instead, try using tcpdump as follows:

Code:
root@yourbox> tcpdump -i eth1 | grep -C 3 _re_file.exe >> infectedboxes.txt &
That will run tcpdump (the monitoring program) on network interface eth1, and only display output that contains the line "_re_file.exe" (plus 3 lines either side to give you some context), and send the output to a file called infectedboxes.txt. The "&" makes it run in the background. If your firewall does Network Address Translation, then make sure you're running this on your internal interface (the one facing the windows boxes) so that you can tell which IP any virus traffic is coming from.

Leave that running for more than six hours, come back and have a look at the file and it should contain the IP address of the offending machine. Let me know if you need help with the output.
When you know what's happening, kill off the tcpdump process: use "pgrep tcpdump" to find what pid it's using, then "kill 5671" (or whatever pid it's using) to kill the process.

Hope this helps.
 
Old 04-27-2005, 07:05 AM   #5
G-Fox
Member
 
Registered: Jul 2003
Location: Lithuania
Posts: 45

Original Poster
Rep: Reputation: 15
Thanks for information weegolo.

There is one problem I can't redirect STDOUT to file. I just screened tcpdump.

I tried this:

root@mybox> tcpdump -Ani eth1 src net 10 | grep re_file.exe >> infected.txt &

and test with wget to download re_file.exe, but file infected.txt was empty.

then I done every thing again, just wrote same command without redirection to file:

root@mybox> tcpdump -Ani eth1 src net 10 | grep re_file.exe

when i tried download re_file.exe again. It was detected and information was writen to STDOUT.

any suggestions?
 
Old 04-27-2005, 07:27 AM   #6
weegolo
LQ Newbie
 
Registered: Apr 2005
Location: Singapore
Distribution: Fedora Core 2 & 3
Posts: 12

Rep: Reputation: 0
Doh! My fault

That command actually runs tcpdump, and pipes the results through 'grep redirected to infected.txt'. Which is meaningless in this context.
We want to run 'tcpdump piped through grep', and redirect the results to infected.txt.

Can't remember how to resolve, so let's try the simpler version:
Code:
root@localhost>  tcpdump -Ani eth1 src net 10 | grep _re_file.exe
...which will take over that session/terminal. But you can always launch another one.
 
Old 04-27-2005, 09:41 AM   #7
G-Fox
Member
 
Registered: Jul 2003
Location: Lithuania
Posts: 45

Original Poster
Rep: Reputation: 15
>...which will take over that session/terminal. But you can always launch another one.
it is more confort to use screen command you can detach your screen and logoff from console If you never used 'screen' try it.

Thanks for your replies
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the best way to log traffic trough firewall? G-Fox Linux - Networking 3 05-04-2005 02:55 PM
What is the best way to log traffic trough firewall? G-Fox Linux - Security 2 04-28-2005 02:16 PM
Loggin IP traffic to a log file brokenflea Linux - Security 1 03-30-2005 06:53 PM
firewall and traffic Vladix Linux - Networking 0 07-15-2003 01:20 PM
firewall traffic blocking help jaylee Linux - Security 8 06-30-2003 11:44 AM


All times are GMT -5. The time now is 02:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration