Iptables log Exploration
In addition to effectively controlling network access, the main function of the firewall is to clearly record network access and automatically generate logs for storage. Although the log format varies with the firewall manufacturer, the main information recorded is basically the same. The log Content generated by the PIX, ASA, or CheckPoint fire wall discussed later is similar. This indicates that any connection or request, such as TCP, UDP, ICMP Connection records, connection traffic information, connection establishment time, and so on, firewall logs will reflect them one by one. In summary, firewall logs generally include the source IP address of the message sending, the destination IP address of the message, the message flow direction, the message content, and the application.
The firewall generates a large number of log files every day. It is very difficult for the firewall administrator to manage the huge logs that have not been processed and analyzed. Therefore, log statistics and analysis are now essential to firewall functions. administrators can not only search for logs and audit logs based on different requirements, you can also analyze the network bandwidth utilization, various network protocols, and port usage. Firewall logs also generate security warnings and some helpful information for network security management. This greatly facilitates the Administrator's security control over the firewall.
This document uses iptables in Linux as an example to explain firewall logs. The following section describes iptables logs.
Jun 19 17:20:04 webkernel: new drap in = eth0 OUT = MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04
: Al: 08: 00SRC = 192.168.150.1 DST = 192.168.150.152 LEN = 20 TOS = 0X00 PREC = 0x00 TTL = 249ID = 10492 df proto = udp spt = 53 DPT = 32926 LEN = 231
The log description is shown in table 1.
Table 1 iptablesLog field description
Serial number
Field name
Description
1
Jun 19 17:20:24
Date and time, generated by syslog
2
Web
Host Name
3
Kernel
The logs generated by syslogd whose kernel is the kernel indicate that netfilter runs in the kernel.
4
NEW_DRAP
Record prefix specified by the user-log-prefix "NEW_DRAP"
5
IN = eth0
The interface for entering the data packet. If it is null, it indicates that the local machine is generated. The interface also includes eth0 and br0.
6
OUT =
Interface for data packet exit. If it is null, the local machine receives the data packet.
7
MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04: al
00: 10: 4b: cd: 7b: b4 is the target MAC address.
00: e0: le: b9: 04: al is the source MAC address.
8
08:00
Indicates the IP protocol.
9
SRC = 192.168.150.1
192.168.150.1 is the source IP address.
10
DST = 192.168.150.152
192.168.150.152w is the target IP address.
11
LEN = 20
Total length of IP packets + Data carrying (MTU)
12
TOS = 0x00
The service type field in the IP Address Header, which reflects the service quality, including latency, reliability, and congestion.
13
PREC = 0x00
Priority field of service type
14
TTL = 1, 249
IP packet survival time
15
ID = 10492
IP packet ID
16
DF
DF indicates non-segmentation. This field may also be MF/FRAG.
17
PROTO = UDP
The transport layer protocol type. It indicates what the upper layer protocol can be divided into, such as TCP, UDP, and ICMP.
18
SPT = 53
Indicates the source port number.
19
DPT = 1, 32926
Indicates the destination port number.
20
LEN = 231
Transport layer protocol header length
21
SEQ = content omitted
TCP serial number
22
ACK = content omitted
TCP response number
23
WINDOWS = content omitted
Window size in the IP Address Header
24
RES
ECN bits value in TCP-Flags
25
CWR/ECE/URG/ACK/PSH/RST/SYN/FIN
TCP flag
26
URGP =
Emergency pointer start point
27
OPT (content omitted)
IP or TCP options, in hexadecimal format
28
INCOMPLETE [65535 bytes]
Incomplete data packets
29
TYPE = CODE = ID = SEQ = PARAMETER =
When the Protocol is ICMP
30
SPI = 0xF1234567
When the current protocol is AHESP
31
SYN
SYN flag in TCP-Flags, in addition to FIN/ACK/RST/URG/PSH
32
[]
Brackets appear in two places and are used recursively as the protocol header in ICMP protocol. When the packet length is invalid, it is used to indicate the actual length of the data.
II,LOGLog format considerations:
From the description in Table 1, we can see that the iptables log records a lot of information and is very messy. During analysis, we are faced with the following problems:
(1) The MAC representation is too simple. It is not conducive to reading because the target MAC, source MAC, and length are all mixed.
(2) In tables numbered 12, 13, the TOS and PREC values are both 0x00.
(3) No data packet content is recorded in the log, especially for some rejected data packets. If the data packet content is recorded, it will help to find attack methods and methods.
(4) If no rule number is recorded, it is difficult to view the recorded data packet because it meets any conditions.
(5) LEN and DPT are prone to confusion when analyzing and processing logs in both the IP header and TCP header.
III,Log Analysis
In Linux, you can record Iptables by editing the/etc/syslog. conf file and adding a line to it.
Kern. warning/var/log/iptables. log
Then restart the syslog service:
#/Etc/init. d/syslog restart
To facilitate LOG analysis, you can add an appropriate LOG prefix, that is, use the LOG option in IPtables to enable the kernel record function for matching data packets through the LOG option. The sub-option of the LOG option -- log-prefix is used to add a message prefix to the record information. The prefix can contain up to 29 characters. The purpose of adding a prefix is to better identify record information. For example, it is easier to use grep to filter matching record information. The following is an example. On the Linux server, enter the following command:
Next, check the logs with the HACKERS prefix in the iptables. log File. Of course, you can replace it with other contents.
The "-j LOG" parameter is used to set the LOG Level, and syslo is used to put special-level information into the specified LOG file. It is initially stored in/var/log/messages. Because it is stored in messages, it is inconvenient to analyze logs. This section briefly introduces an instance for managing, looping, and automatically reporting iptables logs.
Iptables is installed by default in almost all Linux distributions. It is managed by the facility of dmesg or syslogd in combination with the kernel. The initial value of the iptables log is [warn (= 4)]. To modify this value, you must edit it.
Syslog. conf.
The initial setting of/etc/logrotate. conf is to cycle logs every week. Therefore, weekly logs will be stored in/var/log/iptables. log, and previous logs will be stored in iptableslog.1 ~ Iptables-log.50.
You can use iptables to directly obtain logs. The operation is as follows:
# Iptables-a input-s 127.0.0.1-p icmp-j LOG -- log-prefix "iptables icmp-localhost"
\ * Save the packet record from eth0;
# Iptables-a input-s 127.0.0.1-p icmp-j DROP
\ * Revoke the packet record from eth0;
After the above two commands, the/var/log/iptables-log.1 content will be as follows:
Sep 2310: 16: 14 hostname kernel: iptables icmp-localhost IN = lo OUT = MAC = 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 08: 00 SRC = 127.0.0.1 DST = 127.0.0.1LEN = 84 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 df proto = icmp type = 8 CODE = 0 ID = 57148SEQ = 256
The above method is troublesome. The ulog tool can be used to directly broadcast logs to the user State using netlink. In this way, the efficiency is higher. First, install the ulog package. The command is as follows:
# Apt-get install ulogd
View the Iptables log, as shown in 1.
Iv. Graphical Analysis Tools
Understanding the log structure, structure, and meaning is the foundation, but the"Big security EraYou must use the tool software to help you complete the task. I recommend several graphical analysis tools.
1) OSSIM
In the ossim usm version, logs can be normalized and displayed in charts, as shown in figure 2.
2)FirewallAnalyzer
Firewall Analyzer is a Web-based Firewall log analysis system that does not require Agent installation. It supports multiple Firewall devices in the network, it also implements monitoring, log collection and analysis, and presents it in the form of reports. Using Firewall Analyzer and network security administrator, you can quickly obtain important information such as network bandwidth usage and Security time, so as to more effectively manage the network. Generally, the security event information that can be obtained includes intrusion detection, virus attacks, denial of service attacks, and other abnormal network behaviors. Firewall Analyzer can analyze Multiple Firewall logs such as Cisco PIX, ASA, and CheckPoint. 3 shows the traffic analysis interface of Firewall Analyzer.
3
) Sawmill
Sawmill is applicable to Unix, Linux, Windows, and other platforms. It supports 900 log formats and is a centralized and cross-platform log report management system that can collect logs in a centralized manner, and generate Chinese reports (including simplified and Traditional Chinese). The simple operation interface allows users to intuitively analyze Netfilter logs and quickly analyze and customize reports through simple click operations, as shown in figure 4 and 5.