How to read firewall logs?

#1 (**permalink**) 06-04-2004

OK, so I finally got around to having iptables LOG and then DROP
uninvited input packets, rather than just DROPping them. I didn't
expect the volume to be quite that high! Seems people are attacking --
or at least sending SYN packets -- every few seconds.

How do I figure out just what is being attempted? I can trace
the SRC field with the "host" command, but what are TTL, ID,
SPT, DPT, WINDOW, URGP? Googling on these terms brings up
a lot of logs; didn't see any direct explanation. Can I tell
if these are attempts to establish, say, telnet, ftp, rsh, or
ssh connections?

#2 (**permalink**) 06-04-2004

On Fri, 04 Jun 2004 13:04:07 -0500, Mike Oliver wrote:
> OK, so I finally got around to having iptables LOG and then DROP
> uninvited input packets, rather than just DROPping them. I didn't
> expect the volume to be quite that high! Seems people are attacking --
> or at least sending SYN packets -- every few seconds.
>
> How do I figure out just what is being attempted? I can trace
> the SRC field with the "host" command, but what are TTL, ID,
> SPT, DPT, WINDOW, URGP? Googling on these terms brings up
> a lot of logs; didn't see any direct explanation. Can I tell
> if these are attempts to establish, say, telnet, ftp, rsh, or
> ssh connections?

As a rule the target port (DPT) and the protocol (PROTO) would give
you the hint.

/etc/services has the port and protocol values.

What I did was to create a file with the services file and information from
http://www.good-stuff.co.uk/useful/portfull.html
http://www.clic.net/~hello/puppet/nnports.html
http://www.doshelp.com/trojanports.htm
http://www.isi.edu/in-notes/iana/ass...s/port-numbers
http://www.netice.com/advice/exploits/ports/default.htm
http://www.robertgraham.com/pubs/firewall-seen.html
http://www.sans.org/newlook/resource...Q/oddports.htm
http://www.simovits.com/nyheter9902.html
into one file I can grep for information. Example

$ grep 8866 port.numbers
port 8866/ backdoor for bagle worm

$ grep 3389 port.numbers
ms-wbt-server 3389/tcp MS WBT Server
ms-wbt-server 3389/udp MS WBT Server

#3 (**permalink**) 06-04-2004

"Mike Oliver" <mike_lists@verizon.net> wrote in message
news:2ibrslFk3d32U1@uni-berlin.de

> OK, so I finally got around to having iptables LOG and then DROP
> uninvited input packets, rather than just DROPping them. I didn't
> expect the volume to be quite that high! Seems people are attacking
> -- or at least sending SYN packets -- every few seconds.
>
> How do I figure out just what is being attempted? I can trace
> the SRC field with the "host" command, but what are TTL, ID,
> SPT, DPT, WINDOW, URGP?

http://logi.cc/linux/netfilter-log-format.php3

--
use hotmail for email replies

#4 (**permalink**) 07-31-2004

On Fri, 04 Jun 2004 13:04:07 -0500, the right honourable Mike Oliver
<mike_lists@verizon.net> wrote:

>OK, so I finally got around to having iptables LOG and then DROP
>uninvited input packets, rather than just DROPping them. I didn't
>expect the volume to be quite that high! Seems people are attacking --
>or at least sending SYN packets -- every few seconds.
>
>How do I figure out just what is being attempted? I can trace
>the SRC field with the "host" command, but what are TTL, ID,
>SPT, DPT, WINDOW, URGP? Googling on these terms brings up
>a lot of logs; didn't see any direct explanation. Can I tell
>if these are attempts to establish, say, telnet, ftp, rsh, or
>ssh connections?

OOOOOOOOW... you need to read/study Andreasson's manual:

http://iptables-tutorial.frozentux.n...-tutorial.html

Really, if you want to read logs, you need to feel at home in this
material. There are no shortcuts.

After that, look at http://www.snort.org/

frgr
Erik

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode