Iptables log search and iptables search
Iptables log Exploration
In addition to effectively controlling network access, the main function of the firewall is to clearly record network access and automatically generate logs for storage. Although the log format varies with the firewall manufacturer, the main information recorded is basically the same. The log Content generated by the PIX, ASA, or CheckPoint fire wall discussed later is similar. This indicates that any connection or request, such as TCP, UDP, ICMP Connection records, connection traffic information, connection establishment time, and so on, firewall logs will reflect them one by one. In summary, firewall logs generally include the source IP address of the message sending, the destination IP address of the message, the message flow direction, the message content, and the application.
The firewall generates a large number of log files every day. It is very difficult for the firewall administrator to manage the huge logs that have not been processed and analyzed. Therefore, log statistics and analysis are now essential to firewall functions. administrators can not only search for logs and audit logs based on different requirements, you can also analyze the network bandwidth utilization, various network protocols, and port usage. Firewall logs also generate security warnings and some helpful information for network security management. This greatly facilitates the Administrator's security control over the firewall.
This document uses iptables in Linux as an example to explain firewall logs. The following section describes iptables logs.
Jun 19 17:20:04 webkernel: new drap in = eth0 OUT = MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04: al: 08: 00SRC = 192.168.150.1 DST = 192.168.150.152 LEN = 20 TOS = 0X00 PREC = 0x00 TTL = 249ID = 10492 df proto = udp spt = 53 DPT = 32926 LEN = 231
The log description is shown in table 1.
Table 1 iptablesLog field description
Serial number |
Field name |
Description |
1 |
Jun 19 17:20:24 |
Date and time, generated by syslog |
2 |
Web |
Host Name |
3 |
Kernel |
The logs generated by syslogd whose kernel is the kernel indicate that netfilter runs in the kernel. |
4 |
NEW_DRAP |
Record prefix specified by the user-log-prefix "NEW_DRAP" |
5 |
IN = eth0 |
The interface for entering the data packet. If it is null, it indicates that the local machine is generated. The interface also includes eth0 and br0. |
6 |
OUT = |
Interface for data packet exit. If it is null, the local machine receives the data packet. |
7 |
MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04: al |
00: 10: 4b: cd: 7b: b4 is the target MAC address. 00: e0: le: b9: 04: al is the source MAC address. |
8 |
08:00 |
Indicates the IP protocol. |
9 |
SRC = 192.168.150.1 |
192.168.150.1 is the source IP address. |
10 |
DST = 192.168.150.152 |
192.168.150.152w is the target IP address. |
11 |
LEN = 20 |
Total length of IP packets + Data carrying (MTU) |
12 |
TOS = 0x00 |
The service type field in the IP Address Header, which reflects the service quality, including latency, reliability, and congestion. |
13 |
PREC = 0x00 |
Priority field of service type |
14 |
TTL = 1, 249 |
IP packet survival time |
15 |
ID = 10492 |
IP packet ID |
16 |
DF |
DF indicates non-segmentation. This field may also be MF/FRAG. |
17 |
PROTO = UDP |
The transport layer protocol type. It indicates what the upper layer protocol can be divided into, such as TCP, UDP, and ICMP. |
18 |
SPT = 53 |
Indicates the source port number. |
19 |
DPT = 1, 32926 |
Indicates the destination port number. |
20 |
LEN = 231 |
Transport layer protocol header length |
21 |
SEQ = content omitted |
TCP serial number |
22 |
ACK = content omitted |
TCP response number |
23 |
WINDOWS = content omitted |
Window size in the IP Address Header |
24 |
RES |
ECN bits value in TCP-Flags |
25 |
CWR/ECE/URG/ACK/PSH/RST/SYN/FIN |
TCP flag |
26 |
URGP = |
Emergency pointer start point |
27 |
OPT (content omitted) |
IP or TCP options, in hexadecimal format |
28 |
INCOMPLETE [65535 bytes] |
Incomplete data packets |
29 |
TYPE = CODE = ID = SEQ = PARAMETER = |
When the Protocol is ICMP |
30 |
SPI = 0xF1234567 |
When the current protocol is AHESP |
31 |
SYN |
SYN flag in TCP-Flags, in addition to FIN/ACK/RST/URG/PSH |
32 |
[] |
Brackets appear in two places and are used recursively as the protocol header in ICMP protocol. When the packet length is invalid, it is used to indicate the actual length of the data. |
Ii. LOG format considerations:
From the description in Table 1, we can see that the iptables log records a lot of information and is very messy. During analysis, we are faced with the following problems:
(1) The MAC representation is too simple. It is not conducive to reading because the target MAC, source MAC, and length are all mixed.
(2) In tables numbered 12, 13, the TOS and PREC values are both 0x00.
(3) No data packet content is recorded in the log, especially for some rejected data packets. If the data packet content is recorded, it will help to find attack methods and methods.
(4) If no rule number is recorded, it is difficult to view the recorded data packet because it meets any conditions.
(5) LEN and DPT are prone to confusion when analyzing and processing logs in both the IP header and TCP header.
Iii. Log Analysis
In Linux, you can record Iptables by editing the/etc/syslog. conf file and adding a line to it.
Kern. warning/var/log/iptables. log
Then restart the syslog service:
#/Etc/init. d/syslog restart
To facilitate LOG analysis, you can add an appropriate LOG prefix, that is, use the LOG option in IPtables to enable the kernel record function for matching data packets through the LOG option. The sub-option of the LOG option -- log-prefix is used to add a message prefix to the record information. The prefix can contain up to 29 characters. The purpose of adding a prefix is to better identify record information. For example, it is easier to use grep to filter matching record information. The following is an example. On the Linux server, enter the following command:
Next, check the logs with the HACKERS prefix in the iptables. log File. Of course, you can replace it with other contents.
The "-j LOG" parameter is used to set the LOG Level, and syslo is used to put special-level information into the specified LOG file. It is initially stored in/var/log/messages. Because it is stored in messages, it is inconvenient to analyze logs. This section briefly introduces an instance for managing, looping, and automatically reporting iptables logs.
Iptables is installed by default in almost all Linux distributions. It is managed by the facility of dmesg or syslogd in combination with the kernel. The initial value of iptables logs is [warn (= 4)]. To modify the initial value, you need to edit syslog. conf.
The initial setting of/etc/logrotate. conf is to cycle logs every week. Therefore, weekly logs will be stored in/var/log/iptables. log, and previous logs will be stored in iptableslog.1 ~ Iptables-log.50.
You can use iptables to directly obtain logs. The operation is as follows:
# Iptables-a input-s 127.0.0.1-p icmp-j LOG -- log-prefix "iptables icmp-localhost"
\ * Save the packet record from eth0;
# Iptables-a input-s 127.0.0.1-p icmp-j DROP
\ * Revoke the packet record from eth0;
After the above two commands, the/var/log/iptables-log.1 content will be as follows:
Sep 2310: 16: 14 hostname kernel: iptables icmp-localhost IN = lo OUT = MAC = 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 08: 00 SRC = 127.0.0.1 DST = 127.0.0.1LEN = 84 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 df proto = icmp type = 8 CODE = 0 ID = 57148SEQ = 256
The above method is troublesome. The ulog tool can be used to directly broadcast logs to the user State using netlink. In this way, the efficiency is higher. First, install the ulog package. The command is as follows:
# Apt-get install ulogd
View the Iptables log, as shown in 1.
Figure 1 use ulog to view Iptables logs
Iv. Graphical Analysis Tools
Understanding the log structure, structure, and meaning is the foundation. However, in the "big security era" of big data, tools and software must be used to help you complete the task. Below I recommend several graphical analysis tools.
1) OSSIM
In the ossim usm version, logs can be normalized and displayed in charts, as shown in figure 2.
Figure 2 OSSIM log collection
2) FirewallAnalyzer
Firewall Analyzer is a Web-based Firewall log analysis system that does not require Agent installation. It supports multiple Firewall devices in the network, it also implements monitoring, log collection and analysis, and presents it in the form of reports. Using Firewall Analyzer and network security administrator, you can quickly obtain important information such as network bandwidth usage and Security time, so as to more effectively manage the network. Generally, the security event information that can be obtained includes intrusion detection, virus attacks, denial of service attacks, and other abnormal network behaviors. Firewall Analyzer can analyze Multiple Firewall logs such as Cisco PIX, ASA, and CheckPoint. 3 shows the traffic analysis interface of Firewall Analyzer.
Figure 3 main log analysis interface of Firewall Analyzer
3) Sawmill
Sawmill is applicable to Unix, Linux, Windows, and other platforms. It supports 900 log formats and is a centralized and cross-platform log report management system that can collect logs in a centralized manner, and generate Chinese reports (including simplified and Traditional Chinese). The simple operation interface allows users to intuitively analyze Netfilter logs and quickly analyze and customize reports through simple click operations, as shown in figure 4 and 5.
Figure 4 set the data source to be read
Figure 5 set the output report
For more information about log analysis, refer to UNIX/Linux Network Log Analysis and traffic monitoring.