Re: [newbie] seeking log analyser recommendation for shorewall

2003-06-12 Thread stormjumper 

- Original Message - 
From: Derek Jennings [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 11, 2003 22:55
Subject: Re: [newbie] seeking log analyser recommendation for shorewall


 On Wed, 11 Jun 2003 18:24:41 +0800
 stormjumper [EMAIL PROTECTED] wrote:

  actually, i'm not very sure what i'm asking for, a log analyser or an
  intrusion detection system.
 
  the reason is, my /var/log/kernel/info has become abnormally large over
the
  last 3 days, from 1.5mb between 1 Jun to 8 Jun, to 23++ mb between 8 Jun
to
  now (11 Jun).
 
  the cause is due to shorewall entries, most of which are REJECTed or
DROPped
  external traffic to seemingly random ports, from IPs which have no
reason to
  attempt to access my IP.
 
  i vaguely (and maybe paranoidly) suspect that i'm the target of some
  probe/scan, and that the source IPs are being spoofed, but newbie that i
am,
  i really can't make tell if any of the traffic are malevolent.
 
  visited snort.org, shorewall.net, netfilter.org and a few other sites to
get
  abit of background information, but so far only understanding around 20%
of
  what i'm reading.
 
  hoping that someone here can make a good recommendation for a simple to
  configure log analyser/IDS, that can make guesses on whether i'm being
  sniffed or probed.
 
  thanks in advance. ;-)
 
  for the record, i'm running mandrake 9.0 purely as the gateway to a
small
  network, sharing a DSL connection, with smtp and http ports forwarded.
  (keeping up to date with security updates).
 

 It is normally pretty easy to tell if you are being probed. Just glace
through your syslog at the messages shorewall is throwing up. Just look at
the SRC IP Addresses, if they are mostly the same, then someone is
persistently hitting you.
 Then look at the destination port DPT This will tell you what service they
are trying to attach to. You can look up the service names by comparing the
port number to the info in /etc/services or just type port xyz  in
google/linux.

 It is possible to configure shorewall to discard packets from specific
services without logging them if the size of the logs is causing you
problems.

 You will very likely discover a lot of hits are coming from peer to peer
file sharing users.
 A friend of mine who works for Juniper tells me that 60% of Internet
traffic by volume is currently P to P.

 In any case the good news is that your firewall is stopping the traffic
:-)

 Personally I run fwlogwatch (in contrib) to get a weekly report of
firewall hits. It just tells me the IP address and host names of those
people who persistently hit me.

 HTH

 derek

thanks derek. as a sidenote, it seems like it's you who happens to answer my
posts most of the time.

actually, i think i understand what individual lines of the shorewall
entries mean, it's just that the ip's that show up are strange. (i checked
their sources with ARIN's whois database)

like i'm getting source addresses on my external interface from brazil, or
with internal addresses on it. eg.

Jun 13 05:28:06 gw kernel: Shorewall:net2all:DROP:IN=eth1 OUT=
MAC=00:a0:24:e2:67:0e:00:30:0a:09:6f:26:08:00
SRC=213.23.152.139 DST=my external ip LEN=74 TOS=0x0
0 PREC=0x20 TTL=240 ID=4101 DF PROTO=ICMP TYPE=3 CODE=3 [SRC=my external ip
DST=192.168.123.100 LEN=46 TOS=0x00 PREC=0x00 TTL=111 ID=9451 PROTO=UDP
SPT=1523 DPT=2615 LEN=26 ]

IIUC, this log implies that i actually sent a packet to 213.23.152.139, in
order to reach 192.168.123.100, and therefore 213.23.152.139 is telling me
it's unreachable (ICMP type 3 code 3).

this is quite implausible, so i would guess either my ip is being spoofed by
someone trying to gain access to 192.168.123.100, or the NAT s/w at
213.23.152.139 is mis-writing the packets, or my machine has been
compromised and is used as a launching pad.

however, that's my wild guess, which is why i'm looking for programs that
can make educated guesses based on my logs...

i've looked at fwlogwatch, as per your suggestion, and it seems very
interesting. however the version in contrib for mandrake 9.0 (0.6 i think)
seems very dated, and installing the mdk 9.1 rpm fails due to a glib
requirement of  2.3.

unfortunately, i dun have the time right now to work out these dependency
issues, furthermore, i dun think messing with the glibc versions is a wise
idea.

when i've more time, i'll prolly try to download the src rpm for 9.1 and
rebuild it on the 9.0 system and see if it works, but until then, i guess i
just have to put faith with shorewall.

thanks.


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

[newbie] seeking log analyser recommendation for shorewall

2003-06-11 Thread stormjumper 
actually, i'm not very sure what i'm asking for, a log analyser or an
intrusion detection system.

the reason is, my /var/log/kernel/info has become abnormally large over the
last 3 days, from 1.5mb between 1 Jun to 8 Jun, to 23++ mb between 8 Jun to
now (11 Jun).

the cause is due to shorewall entries, most of which are REJECTed or DROPped
external traffic to seemingly random ports, from IPs which have no reason to
attempt to access my IP.

i vaguely (and maybe paranoidly) suspect that i'm the target of some
probe/scan, and that the source IPs are being spoofed, but newbie that i am,
i really can't make tell if any of the traffic are malevolent.

visited snort.org, shorewall.net, netfilter.org and a few other sites to get
abit of background information, but so far only understanding around 20% of
what i'm reading.

hoping that someone here can make a good recommendation for a simple to
configure log analyser/IDS, that can make guesses on whether i'm being
sniffed or probed.

thanks in advance. ;-)

for the record, i'm running mandrake 9.0 purely as the gateway to a small
network, sharing a DSL connection, with smtp and http ports forwarded.
(keeping up to date with security updates).


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com