Hello, everybody who read this message

What is the best way to log traffic trough firewall?
I have linux box with NAT (one external ip) and get mail from my ISP what my external ip is infected by virus. They sent my logs of virus activity, but in my linux box I don't make any logs and can't find which internal pc is infected... So I decided to start logging everything to find out in future witch pc is infected.

Thanks for any answer.

First of all, did they tell you what virus they think you have? If so, go to one of the anti-virus vendors' websites (e.g. www.sarc.com) and search for that particular virus - it should tell you many details about how you can tell if you're infected, and so on. I presume the internal boxes are Windows boxes?

Secondly, many viruses fake the senders' address: so just because the ISP thinks you're infected doesn't mean you are. Again, the description of the particular virus on the a-v vendor's website should tell you whether or not it behaves like this.

Alternatively, log in as root and run 'tethereal' (you may need to install it first). That shows you what packets are going through your network interfaces - it's probably easier to do this here than at the firewall. If you know what you're looking for (you say the ISP sent you sample logs?), then pipe the output through grep and you'll see what's happening soon enough.

For example:
root> tethereal -i eth0 | grep 69.50.188.180
...(where eth0 is your outside interface) should show up traffic to the ip address 69.50.188.180, which is a potential symptom of Trojan.Flush.C, which Symantec currently report as one of the top five virus threats.

However if you do want to log outgoing traffic at the firewall, then that depends on which firewall you use. I use iptables, and I would do something like this:

iptables -A INPUT -i $internal_interface -m state --state NEW -j LOG --log-prefix "IPT_NEW_INT: "
iptables -A INPUT -i $internal_interface -m state --state NEW -j ACCEPT

The first line logs the traffic, the second line allows it through.

then just keep an eye on the logs:
root> tail -f /var/log/messages | grep IPT_NEW_INT
...should show up any new outbound connections being initiated. This is my least recommended method of checking, as it's the least likely to succeed.

If you tell us which virus they think you have, someone can tell you in a bit more detail what sort of thing to look for.

Hope this helps
Weegolo

>I presume the internal boxes are Windows boxes?
Yes, you are right. There are Windows boxes.

ISP sed that I am infected with ToosoG and Bagle.BB

This is log example from my ISP:

Apr 20 2005 22:53:20 0 TCP x.x.x.x:1266 ->
210.51.168.59:80 2 80 B
Apr 20 2005 22:53:28 0 TCP x.x.x.x:1275 ->
81.169.145.70:80 5 393 B
Apr 20 2005 22:53:25 0 TCP x.x.x.x:1272 ->
195.20.225.126:80 5 396 B
Apr 20 2005 22:53:27 0 TCP x.x.x.x:1274 ->
192.67.198.55:80 5 396 B
Apr 20 2005 22:53:29 0 TCP x.x.x.x:1276 ->
192.67.198.7:80 6 452 B

x.x.x.x my external ip.

>root> tethereal -i eth0 | grep 69.50.188.180
I am not an expert, but I think I can do same with 'tcpdump' if I am not right, please correct me.

For my firewall I use iptables too.
Imagine there are 150 Windows boxs and traffic is quite big. Linux box (router) have Celeron 633MHz CPU. Will it be enought for such job (log traffic with iptables from 150 boxs)?

Thanks for your help Weegolo. I appreciate it.

Oh well, if you've got 150 Windows boxes, then OF COURSE you have a virus somewhere! :-)

Those two viruses don't fake sources, so if your ISP says it's seen virus traffic from your network, it's probably right.

More details on the particular viruses are available at:
http://securityresponse.symantec.com...n.tooso.g.html
http://securityresponse.symantec.com...gle.av@mm.html
(Despite the slight difference in the name - Bagle.BB to Beagle.AV - they are the same virus. Your ISP is using McAfee, this info comes from Symantec, and they can't always agree on virus names)

Symantec says that, once every six hours, Tooso.g will try to download a file called "_re_file.exe" from an external site. I'm not sure about the log volumes - you may be right, doing it on iptables may be too much for your box. Instead, try using tcpdump as follows:

That will run tcpdump (the monitoring program) on network interface eth1, and only display output that contains the line "_re_file.exe" (plus 3 lines either side to give you some context), and send the output to a file called infectedboxes.txt. The "&" makes it run in the background. If your firewall does Network Address Translation, then make sure you're running this on your internal interface (the one facing the windows boxes) so that you can tell which IP any virus traffic is coming from.

Leave that running for more than six hours, come back and have a look at the file and it should contain the IP address of the offending machine. Let me know if you need help with the output.
When you know what's happening, kill off the tcpdump process: use "pgrep tcpdump" to find what pid it's using, then "kill 5671" (or whatever pid it's using) to kill the process.

Hope this helps.

Thanks for information weegolo.

There is one problem I can't redirect STDOUT to file. I just screened tcpdump.

I tried this:

root@mybox> tcpdump -Ani eth1 src net 10 | grep re_file.exe >> infected.txt &

and test with wget to download re_file.exe, but file infected.txt was empty.

then I done every thing again, just wrote same command without redirection to file:

root@mybox> tcpdump -Ani eth1 src net 10 | grep re_file.exe

when i tried download re_file.exe again. It was detected and information was writen to STDOUT.

any suggestions?

Doh! My fault

That command actually runs tcpdump, and pipes the results through 'grep redirected to infected.txt'. Which is meaningless in this context.
We want to run 'tcpdump piped through grep', and redirect the results to infected.txt.

Can't remember how to resolve, so let's try the simpler version:
...which will take over that session/terminal. But you can always launch another one.

>...which will take over that session/terminal. But you can always launch another one.
it is more confort to use screen command you can detach your screen and logoff from console If you never used 'screen' try it.

Thanks for your replies