Iptables log search and iptables search

Iptables log search and iptables search

Iptables log Exploration

In addition to effectively controlling network access, the main function of the firewall is to clearly record network access and automatically generate logs for storage. Although the log format varies with the firewall manufacturer, the main information recorded is basically the same. The log Content generated by the PIX, ASA, or CheckPoint fire wall discussed later is similar. This indicates that any connection or request, such as TCP, UDP, ICMP Connection records, connection traffic information, connection establishment time, and so on, firewall logs will reflect them one by one. In summary, firewall logs generally include the source IP address of the message sending, the destination IP address of the message, the message flow direction, the message content, and the application.

The firewall generates a large number of log files every day. It is very difficult for the firewall administrator to manage the huge logs that have not been processed and analyzed. Therefore, log statistics and analysis are now essential to firewall functions. administrators can not only search for logs and audit logs based on different requirements, you can also analyze the network bandwidth utilization, various network protocols, and port usage. Firewall logs also generate security warnings and some helpful information for network security management. This greatly facilitates the Administrator's security control over the firewall.

This document uses iptables in Linux as an example to explain firewall logs. The following section describes iptables logs.

Jun 19 17:20:04 webkernel: new drap in = eth0 OUT = MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04: al: 08: 00SRC = 192.168.150.1 DST = 192.168.150.152 LEN = 20 TOS = 0X00 PREC = 0x00 TTL = 249ID = 10492 df proto = udp spt = 53 DPT = 32926 LEN = 231

The log description is shown in table 1.

Table 1 iptablesLog field description

Serial number	Field name	Description
1	Jun 19 17:20:24	Date and time, generated by syslog
2	Web	Host Name
3	Kernel	The logs generated by syslogd whose kernel is the kernel indicate that netfilter runs in the kernel.
4	NEW_DRAP	Record prefix specified by the user-log-prefix "NEW_DRAP"
5	IN = eth0	The interface for entering the data packet. If it is null, it indicates that the local machine is generated. The interface also includes eth0 and br0.
6	OUT =	Interface for data packet exit. If it is null, the local machine receives the data packet.
7	MAC = 00: 10: 4b: cd: 7b: b4: 00: e0: le: b9: 04: al	00: 10: 4b: cd: 7b: b4 is the target MAC address. 00: e0: le: b9: 04: al is the source MAC address.
8	08:00	Indicates the IP protocol.
9	SRC = 192.168.150.1	192.168.150.1 is the source IP address.
10	DST = 192.168.150.152	192.168.150.152w is the target IP address.
11	LEN = 20	Total length of IP packets + Data carrying (MTU)
12	TOS = 0x00	The service type field in the IP Address Header, which reflects the service quality, including latency, reliability, and congestion.
13	PREC = 0x00	Priority field of service type
14	TTL = 1, 249	IP packet survival time
15	ID = 10492	IP packet ID
16	DF	DF indicates non-segmentation. This field may also be MF/FRAG.
17	PROTO = UDP	The transport layer protocol type. It indicates what the upper layer protocol can be divided into, such as TCP, UDP, and ICMP.
18	SPT = 53	Indicates the source port number.
19	DPT = 1, 32926	Indicates the destination port number.
20	LEN = 231	Transport layer protocol header length
21	SEQ = content omitted	TCP serial number
22	ACK = content omitted	TCP response number
23	WINDOWS = content omitted	Window size in the IP Address Header
24	RES	ECN bits value in TCP-Flags
25	CWR/ECE/URG/ACK/PSH/RST/SYN/FIN	TCP flag
26	URGP =	Emergency pointer start point
27	OPT (content omitted)	IP or TCP options, in hexadecimal format
28	INCOMPLETE [65535 bytes]	Incomplete data packets
29	TYPE = CODE = ID = SEQ = PARAMETER =	When the Protocol is ICMP
30	SPI = 0xF1234567	When the current protocol is AHESP
31	SYN	SYN flag in TCP-Flags, in addition to FIN/ACK/RST/URG/PSH
32	[]	Brackets appear in two places and are used recursively as the protocol header in ICMP protocol. When the packet length is invalid, it is used to indicate the actual length of the data.

 

Ii. LOG format considerations:

From the description in Table 1, we can see that the iptables log records a lot of information and is very messy. During analysis, we are faced with the following problems:

(1) The MAC representation is too simple. It is not conducive to reading because the target MAC, source MAC, and length are all mixed.

(2) In tables numbered 12, 13, the TOS and PREC values are both 0x00.

(3) No data packet content is recorded in the log, especially for some rejected data packets. If the data packet content is recorded, it will help to find attack methods and methods.

(4) If no rule number is recorded, it is difficult to view the recorded data packet because it meets any conditions.

(5) LEN and DPT are prone to confusion when analyzing and processing logs in both the IP header and TCP header.

 

Iii. Log Analysis

 

In Linux, you can record Iptables by editing the/etc/syslog. conf file and adding a line to it.

Kern. warning/var/log/iptables. log

Then restart the syslog service:

#/Etc/init. d/syslog restart

To facilitate LOG analysis, you can add an appropriate LOG prefix, that is, use the LOG option in IPtables to enable the kernel record function for matching data packets through the LOG option. The sub-option of the LOG option -- log-prefix is used to add a message prefix to the record information. The prefix can contain up to 29 characters. The purpose of adding a prefix is to better identify record information. For example, it is easier to use grep to filter matching record information. The following is an example. On the Linux server, enter the following command:

Next, check the logs with the HACKERS prefix in the iptables. log File. Of course, you can replace it with other contents.

 

The "-j LOG" parameter is used to set the LOG Level, and syslo is used to put special-level information into the specified LOG file. It is initially stored in/var/log/messages. Because it is stored in messages, it is inconvenient to analyze logs. This section briefly introduces an instance for managing, looping, and automatically reporting iptables logs.

Iptables is installed by default in almost all Linux distributions. It is managed by the facility of dmesg or syslogd in combination with the kernel. The initial value of iptables logs is [warn (= 4)]. To modify the initial value, you need to edit syslog. conf.

The initial setting of/etc/logrotate. conf is to cycle logs every week. Therefore, weekly logs will be stored in/var/log/iptables. log, and previous logs will be stored in iptableslog.1 ~ Iptables-log.50.

You can use iptables to directly obtain logs. The operation is as follows:

# Iptables-a input-s 127.0.0.1-p icmp-j LOG -- log-prefix "iptables icmp-localhost"

\ * Save the packet record from eth0;

# Iptables-a input-s 127.0.0.1-p icmp-j DROP

\ * Revoke the packet record from eth0;

After the above two commands, the/var/log/iptables-log.1 content will be as follows:

Sep 2310: 16: 14 hostname kernel: iptables icmp-localhost IN = lo OUT = MAC = 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 00: 08: 00 SRC = 127.0.0.1 DST = 127.0.0.1LEN = 84 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 0 df proto = icmp type = 8 CODE = 0 ID = 57148SEQ = 256

The above method is troublesome. The ulog tool can be used to directly broadcast logs to the user State using netlink. In this way, the efficiency is higher. First, install the ulog package. The command is as follows:

# Apt-get install ulogd

View the Iptables log, as shown in 1.

Figure 1 use ulog to view Iptables logs

Iv. Graphical Analysis Tools

Understanding the log structure, structure, and meaning is the foundation. However, in the "big security era" of big data, tools and software must be used to help you complete the task. Below I recommend several graphical analysis tools.

1) OSSIM

In the ossim usm version, logs can be normalized and displayed in charts, as shown in figure 2.

Figure 2 OSSIM log collection

2) FirewallAnalyzer

Firewall Analyzer is a Web-based Firewall log analysis system that does not require Agent installation. It supports multiple Firewall devices in the network, it also implements monitoring, log collection and analysis, and presents it in the form of reports. Using Firewall Analyzer and network security administrator, you can quickly obtain important information such as network bandwidth usage and Security time, so as to more effectively manage the network. Generally, the security event information that can be obtained includes intrusion detection, virus attacks, denial of service attacks, and other abnormal network behaviors. Firewall Analyzer can analyze Multiple Firewall logs such as Cisco PIX, ASA, and CheckPoint. 3 shows the traffic analysis interface of Firewall Analyzer.

Figure 3 main log analysis interface of Firewall Analyzer

3) Sawmill

Sawmill is applicable to Unix, Linux, Windows, and other platforms. It supports 900 log formats and is a centralized and cross-platform log report management system that can collect logs in a centralized manner, and generate Chinese reports (including simplified and Traditional Chinese). The simple operation interface allows users to intuitively analyze Netfilter logs and quickly analyze and customize reports through simple click operations, as shown in figure 4 and 5.

Figure 4 set the data source to be read

Figure 5 set the output report

For more information about log analysis, refer to UNIX/Linux Network Log Analysis and traffic monitoring.