----- Original Message ----- From: "Derek Jennings" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 11, 2003 22:55 Subject: Re: [newbie] seeking log analyser recommendation for shorewall
> On Wed, 11 Jun 2003 18:24:41 +0800 > "stormjumper" <[EMAIL PROTECTED]> wrote: > > > actually, i'm not very sure what i'm asking for, a log analyser or an > > intrusion detection system. > > > > the reason is, my /var/log/kernel/info has become abnormally large over the > > last 3 days, from 1.5mb between 1 Jun to 8 Jun, to 23++ mb between 8 Jun to > > now (11 Jun). > > > > the cause is due to shorewall entries, most of which are REJECTed or DROPped > > external traffic to seemingly random ports, from IPs which have no reason to > > attempt to access my IP. > > > > i vaguely (and maybe paranoidly) suspect that i'm the target of some > > probe/scan, and that the source IPs are being spoofed, but newbie that i am, > > i really can't make tell if any of the traffic are malevolent. > > > > visited snort.org, shorewall.net, netfilter.org and a few other sites to get > > abit of background information, but so far only understanding around 20% of > > what i'm reading. > > > > hoping that someone here can make a good recommendation for a simple to > > configure log analyser/IDS, that can make "guesses" on whether i'm being > > sniffed or probed. > > > > thanks in advance. ;-) > > > > for the record, i'm running mandrake 9.0 purely as the gateway to a small > > network, sharing a DSL connection, with smtp and http ports forwarded. > > (keeping up to date with security updates). > > > > It is normally pretty easy to tell if you are being probed. Just glace through your syslog at the messages shorewall is throwing up. Just look at the SRC IP Addresses, if they are mostly the same, then someone is persistently hitting you. > Then look at the destination port DPT This will tell you what service they are trying to attach to. You can look up the service names by comparing the port number to the info in /etc/services or just type "port xyz" in google/linux. > > It is possible to configure shorewall to discard packets from specific services without logging them if the size of the logs is causing you problems. > > You will very likely discover a lot of hits are coming from peer to peer file sharing users. > A friend of mine who works for Juniper tells me that 60% of Internet traffic by volume is currently P to P. > > In any case the good news is that your firewall is stopping the traffic :-) > > Personally I run fwlogwatch (in contrib) to get a weekly report of firewall hits. It just tells me the IP address and host names of those people who persistently hit me. > > HTH > > derek thanks derek. as a sidenote, it seems like it's you who happens to answer my posts most of the time. actually, i think i understand what individual lines of the shorewall entries mean, it's just that the ip's that show up are strange. (i checked their sources with ARIN's whois database) like i'm getting source addresses on my external interface from brazil, or with internal addresses on it. eg. Jun 13 05:28:06 gw kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:a0:24:e2:67:0e:00:30:0a:09:6f:26:08:00 SRC=213.23.152.139 DST=my external ip LEN=74 TOS=0x0 0 PREC=0x20 TTL=240 ID=4101 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=my external ip DST=192.168.123.100 LEN=46 TOS=0x00 PREC=0x00 TTL=111 ID=9451 PROTO=UDP SPT=1523 DPT=2615 LEN=26 ] IIUC, this log implies that i actually sent a packet to 213.23.152.139, in order to reach 192.168.123.100, and therefore 213.23.152.139 is telling me it's unreachable (ICMP type 3 code 3). this is quite implausible, so i would guess either my ip is being spoofed by someone trying to gain access to 192.168.123.100, or the NAT s/w at 213.23.152.139 is mis-writing the packets, or my machine has been compromised and is used as a launching pad. however, that's my wild guess, which is why i'm looking for programs that can make educated guesses based on my logs... i've looked at fwlogwatch, as per your suggestion, and it seems very interesting. however the version in contrib for mandrake 9.0 (0.6 i think) seems very dated, and installing the mdk 9.1 rpm fails due to a glib requirement of > 2.3. unfortunately, i dun have the time right now to work out these dependency issues, furthermore, i dun think messing with the glibc versions is a wise idea. when i've more time, i'll prolly try to download the src rpm for 9.1 and rebuild it on the 9.0 system and see if it works, but until then, i guess i just have to put faith with shorewall. thanks.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
