LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-29-2003, 09:32 AM   #1
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Rep: Reputation: 15
logsnorter-0.2 iptables MAC address


Anyone familiar with logsnorter? A perl script that runs through your syslog grabbing entereies from iptables and drops those enteries into your snort db. But the parsing is all screwed up, and it never looked for MAC addresses.

Original snippet of code:

if (/^(\w+)\s+([0-9]+) ([0-9]+):([0-9]+):([0-9]+) ([^\s]+) kernel: IN=(\w+[0-9]+) OUT= SRC=([0-9\.]+) DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) ID=([0-9]+) PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+)URGP=([1-9]+)/) {
#If we audited an incoming TCP packet


Well here is what syslog looks like:
Oct 29 03:08:59 noc kernel: input IN=eth0 OUT= MAC=00:20:78:1c:fe:b3:00:60:0f:4f:d3:e2:08:00 SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=11733 DF PROTO=TCP SPT=3845 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

This is a dropped input packet. Noticed the perl script above has no idea that a MAC address is part of iptables logs. The script is also unaware of the word DF before protocol, and that there is a space after SYN. So I changed it to:

if (/^(\w+)\s+([0-9]+) ([0-9]+):([0-9]+):([0-9]+) ([^\s]+) kernel: IN=(\w+[0-9]+) OUT= MAC=([a-f,0-9,:]+) SRC=([0-9\.]+) DST=([0-9\.]+) LEN=([0-9]+) TOS=(\w+) PREC=(\w+) TTL=([0-9]+) ID=([0-9]+) DF PROTO=(\w+) SPT=([0-9]+) DPT=([0-9]+) WINDOW=([0-9]+) RES=(\w+) ([\w+\s]+) URGP=([1-9]+)/) {
#If we audited an incoming TCP packet
print"it finally worked moron";

Needless to say I never see the output of that print statement.


Any help would be appreciated.

Brian Toovey
 
Old 10-29-2003, 10:33 AM   #2
Caba
LQ Newbie
 
Registered: Oct 2003
Location: UK
Distribution: Slackware
Posts: 17

Rep: Reputation: 0
I wrote something similar that tail's my syslog file looking for iptables entries and I used this for the mac bit:

MAC=(\w[:\w]+)

With regard to DF, it's not always there. Depends on the flags set in the packet header. There are a few others you should be aware off as well. Have a look here for the full list of iptables log format:
http://logi.cc/linux/netfilter-log-format.php3



Edit for typo.

Last edited by Caba; 10-29-2003 at 11:28 AM.
 
Old 10-29-2003, 10:38 AM   #3
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
Thanks!

Will you be willing to pass along your script?

Brian
 
Old 10-29-2003, 11:01 AM   #4
Caba
LQ Newbie
 
Registered: Oct 2003
Location: UK
Distribution: Slackware
Posts: 17

Rep: Reputation: 0
Quote:
Originally posted by toovato

Will you be willing to pass along your script?
Sure, i'll put some useful comments in it when I get home from work and send you it.
 
Old 10-29-2003, 11:02 AM   #5
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
Thanks!
 
Old 10-29-2003, 11:07 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,492
Blog Entries: 54

Rep: Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909Reputation: 2909
Quote:
Originally posted by Caba
Sure, i'll put some useful comments in it when I get home from work and send you it.
Could you please post it here?
I'm sure the whole LQ community could benefit from it.
 
Old 10-29-2003, 03:08 PM   #7
Caba
LQ Newbie
 
Registered: Oct 2003
Location: UK
Distribution: Slackware
Posts: 17

Rep: Reputation: 0
Quote:
Originally posted by unSpawn
Could you please post it here?
I'm sure the whole LQ community could benefit from it.
Hehe, I doubt it.

Here's an example of it:
It splits up the log entry, cleans and sorts some bits up and puts them into a database.

http://www.sdirs.ukshells.co.uk/iptableslogger.txt

The script craps itself when the logfile rotates which I should fix but i've got a lazy job that restarts it when it happens.
 
Old 10-29-2003, 08:22 PM   #8
Laptop2250
Member
 
Registered: Oct 2003
Posts: 131

Rep: Reputation: 15
im still new to linux but i learn real quick.. 1hr ago i got a website for a binary for gcc, now my redhat9.0 is all set up and ready..

ready for me to use and learn from the book "Anti-Hacker Tool Kit" which tells you how to protect your pc. and the best way to learn how to protect ones system is to learn what the bad guys to do get in.. all programs in it are linux programs so anyway.. posting the finished product can only help every1 learn to protect their systems
 
Old 10-29-2003, 08:50 PM   #9
toovato
Member
 
Registered: Jul 2003
Location: Ft Lauderdale, FL
Distribution: debian
Posts: 48

Original Poster
Rep: Reputation: 15
sounds stupid, but how would I make that run without the need of holding a shell hostage?

would want to start from /etc/init.d on bootup

Thanks

I know I am pestering you but if you show how you make it run after logroate

I will go install know and let you know how it works

Thanks for your help

Brian
 
Old 10-30-2003, 06:47 AM   #10
Caba
LQ Newbie
 
Registered: Oct 2003
Location: UK
Distribution: Slackware
Posts: 17

Rep: Reputation: 0
you can make it run in the backgroud by calling it with a & . eg ./script &

I start the script on boot from /etc/rcd/rc.local (slackware). In debian I believe you can have something similar /etc/init.d/local .

I just have a cron job that runs after the logs rotate that finds the pid of the script, kills it then restarts it.

Your probably better adding this to the script to write it's pid to a file:

# Write pid to file
open (PID, ">script.pid");
print PID "$$";
close (PID);


then cron something like this (or maybe put in /etc/logrotate.d/syslog ?)

#!/bin/sh
kill `cat /path/to/script.pid`
sleep 1
/path/to/script &
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES rules with mac address? xpathfinder Linux - Security 3 12-11-2005 09:23 PM
Iptables/Mac address InJesus Linux - Security 3 11-17-2005 05:57 AM
blocking mac address using iptables Kendo1979 Linux - Networking 9 10-25-2004 04:09 AM
MAC address iptables questions scottman Linux - Security 2 10-01-2004 01:26 PM
MAC Address + IPTABLES yvesg Linux - Networking 1 05-10-2004 08:36 PM


All times are GMT -5. The time now is 01:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration