ulogd2, netfilter logging reloaded · iptables -a input -p tcp -j ulog --ulog-prefix "bad...
TRANSCRIPT
![Page 1: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/1.jpg)
Ulogd2, Netfilter logging reloaded
Eric Leblond
NFWS2013, Copenhagen
Eric Leblond () Ulogd2, Netfilter logging reloaded 1/ 40NFWS2013, Copenhagen 1 / 40
![Page 2: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/2.jpg)
1 IntroductionNetfilter logging historyUlogd2
2 Connection tracking
3 Ulogd2 Architecture
4 Using Ulogd2
5 Conclusion
Eric Leblond () Ulogd2, Netfilter logging reloaded 2/ 40NFWS2013, Copenhagen 2 / 40
![Page 3: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/3.jpg)
Some word about me
Eric LeblondFrenchPreviously, co-founder and CTO of EdenWall (RIP)Now, ContractorSuricata IDS/IPS developer@Regiteric on Twitter
[email protected] Coreteam MemberWorking on:
some kernel stufflibnetfilter_queue and userspace libraryulogd2 maintainer
Eric Leblond () Ulogd2, Netfilter logging reloaded 3/ 40NFWS2013, Copenhagen 3 / 40
![Page 4: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/4.jpg)
Some word about me
Eric LeblondFrenchPreviously, co-founder and CTO of EdenWall (RIP)Now, ContractorSuricata IDS/IPS developer@Regiteric on Twitter
[email protected] Coreteam MemberWorking on:
some kernel stufflibnetfilter_queue and userspace libraryulogd2 maintainer
Eric Leblond () Ulogd2, Netfilter logging reloaded 3/ 40NFWS2013, Copenhagen 3 / 40
![Page 5: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/5.jpg)
At the beginning was syslog
Pre Netfilter daysFlat packet loggingOne line per packet
A lot of informationNon searchable
Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0
Eric Leblond () Ulogd2, Netfilter logging reloaded 4/ 40NFWS2013, Copenhagen 4 / 40
![Page 6: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/6.jpg)
At the beginning was syslog
Pre Netfilter daysFlat packet loggingOne line per packet
A lot of informationNon searchable
Not sexyINPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=37732 DF PROTO=TCP SPT=443 DPT=48875 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.23 DST=192.168.11.3 LEN=86 TOS=0x00 PREC=0x00 TTL=243 ID=33964 DF PROTO=TCP SPT=80 DPT=49617 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=62292 DF PROTO=TCP SPT=80 DPT=60462 WINDOW=0 RES=0x00 ACK RST URGP=0IN IN=eth0 OUT= MAC=d4:be:d9:69:d1:51:00:11:95:63:c7:5e:08:00 SRC=31.13.80.7 DST=192.168.11.3 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=22480 DF PROTO=TCP SPT=443 DPT=50876 WINDOW=0 RES=0x00 ACK RST URGP=0
Eric Leblond () Ulogd2, Netfilter logging reloaded 4/ 40NFWS2013, Copenhagen 4 / 40
![Page 7: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/7.jpg)
Ulogd days
ULOGNetfilter introduces ULOG targetiptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet"
Communication via a netlink socketSpecial type of socketused for kernel userspace bidirectionnal communication
Ulogd, a ULOG logging daemonSyslog and file outputSQL output: PGSQL, MySQL, SQLite
Eric Leblond () Ulogd2, Netfilter logging reloaded 5/ 40NFWS2013, Copenhagen 5 / 40
![Page 8: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/8.jpg)
Ulogd days
ULOGNetfilter introduces ULOG targetiptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet"
Communication via a netlink socketSpecial type of socketused for kernel userspace bidirectionnal communication
Ulogd, a ULOG logging daemonSyslog and file outputSQL output: PGSQL, MySQL, SQLite
Eric Leblond () Ulogd2, Netfilter logging reloaded 5/ 40NFWS2013, Copenhagen 5 / 40
![Page 9: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/9.jpg)
Linux 2.6.14: Netfilter userspace reloaded
Netfilter introduces NFnetlinkRewrote userspace interactionFor logging, queueing and connection trackingMultiple communication on a single netlink socket
New librarieslibnetfilter_queue: userspace decisionlibnetfilter_log: logginglibnetfilter_conntrack: connection tracking handling
Eric Leblond () Ulogd2, Netfilter logging reloaded 6/ 40NFWS2013, Copenhagen 6 / 40
![Page 10: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/10.jpg)
Ulogd2: an ulogd generalisation
Ulogd2Interact with the new librariesRewrite of ulogd
libnetfilter_log (generalized ulog)Packet loggingIPv6 readyFew structural modification
libnetfilter_conntrack (new)Connection tracking loggingAccounting, logging
libnetfilter_nfacct (added recently)High performance accounting
Eric Leblond () Ulogd2, Netfilter logging reloaded 7/ 40NFWS2013, Copenhagen 7 / 40
![Page 11: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/11.jpg)
Netfilter connection tracking
Netfilter maintains a connection tableValid for "all" protocols
For flow-oriented protocol: TCP, SCTPFor protocol without state: UDP
Support both IPv4 and IPv6
Eric Leblond () Ulogd2, Netfilter logging reloaded 8/ 40NFWS2013, Copenhagen 8 / 40
![Page 12: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/12.jpg)
Network Address Translation
Private Network can’t go to internetFirewall has to modify packet to show its addressTwo way of seeing a connection
From insideFrom outside
Conntrack keep track of the correspondance
tcp 6 431996 ESTABLISHED src=192.168.1.131 dst=91.121.73.151 sport=52964 dport=22\packets=13 bytes=772 src=91.121.73.151 dst=192.168.1.131 sport=22 dport=52964 \packets=11 bytes=7548 [ASSURED] mark=0 secmark=0 use=1 \
Eric Leblond () Ulogd2, Netfilter logging reloaded 9/ 40NFWS2013, Copenhagen 9 / 40
![Page 13: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/13.jpg)
libnetfilter_conntrack: Connection tracking handling library
InterrogationConnections listingRetrieve information about a connection
IP informationAccounting statistics
Event mode
ModificationCreate new entryChange or fix timeoutChange markDestruction of entries
Eric Leblond () Ulogd2, Netfilter logging reloaded 10/ 40NFWS2013, Copenhagen 10 / 40
![Page 14: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/14.jpg)
Connection tracking events
Send all significative connection related events to userspace :NEW: connection creationESTABLISHED: Switch from NEW to ESTABLISHED connectionDESTROY: connection destruction
Make possible to maintain a connection history in userspaceAccounting informationNAT decision history
Eric Leblond () Ulogd2, Netfilter logging reloaded 11/ 40NFWS2013, Copenhagen 11 / 40
![Page 15: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/15.jpg)
Ulogd2, a modular daemon
Able to use multiple entriesPacket loggingFlow loggingAccounting
And multiple outputText basedDB based
Plugin based architectureEntryOutputFilters
Eric Leblond () Ulogd2, Netfilter logging reloaded 12/ 40NFWS2013, Copenhagen 12 / 40
![Page 16: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/16.jpg)
Ulogd2, explanatory schema
Eric Leblond () Ulogd2, Netfilter logging reloaded 13/ 40NFWS2013, Copenhagen 13 / 40
![Page 17: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/17.jpg)
Ulogd2, schema of architecture
Eric Leblond () Ulogd2, Netfilter logging reloaded 14/ 40NFWS2013, Copenhagen 14 / 40
![Page 18: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/18.jpg)
The stack concept
Workflow based configuration: stackChoose an inputDescribe transformation and filter to applyChoose an output
Based on key value propagation trough the stackstack=n1:NFLOG,bs1:BASE,i1:IFINDEX,ip2s:IP2STR,pp:PRINTPKT,emu1:LOGEMUstack=ct1:NFCT,mark1:MARK,ip2str1:IP2STR,pgsql2:PGSQL
Eric Leblond () Ulogd2, Netfilter logging reloaded 15/ 40NFWS2013, Copenhagen 15 / 40
![Page 19: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/19.jpg)
The stack concept: plugin
PluginEach plugin has :
Input keysOutput keys
Optional configuration keys
Plugin structure# ulogd --info /usr/lib/ulogd/ulogd_filter_IP2STR.soName: IP2STRInput keys:
Key: oob.family (unsigned int 8)Key: oob.protocol (unsigned int 16)Key: ip.saddr (IP addr)Key: ip.daddr (IP addr)[...]
Output keys:Key: ip.saddr.str (string)Key: ip.daddr.str (string)[...]
Eric Leblond () Ulogd2, Netfilter logging reloaded 16/ 40NFWS2013, Copenhagen 16 / 40
![Page 20: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/20.jpg)
Packet logging
Compatible with old kernelIPv4 support:
ULOGNFLOG
IPv6 support:NFLOG only
Hardware information:Network interfacesHardware header
Eric Leblond () Ulogd2, Netfilter logging reloaded 17/ 40NFWS2013, Copenhagen 17 / 40
![Page 21: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/21.jpg)
Connection tracking event logging
libnetfilter_conntrack basedIPv4 and IPv6Listen to eventsContains the two IP tuples
Orig IP headerReply IP header
Eric Leblond () Ulogd2, Netfilter logging reloaded 18/ 40NFWS2013, Copenhagen 18 / 40
![Page 22: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/22.jpg)
Netfilter accounting
PrinciplesHigh performance accountingA library libnetfilter_acct and an utility nfacctnfacct is used to create counterscounters are referenced as match in iptables rules
Examples
n facc t add ipv4 . h t t pn facc t add ipv6 . h t t pi p 6 t a b l es − I INPUT −p tcp −−spor t 80 −m nfacc t −−nfacc t−name ipv6 . h t t pi p 6 t a b l es − I OUTPUT −p tcp −−dpor t 80 −m nfacc t −−nfacc t−name ipv6 . h t t pi p t a b l e s − I INPUT −p tcp −−spor t 80 −m nfacc t −−nfacc t−name ipv4 . h t t pi p t a b l e s − I OUTPUT −p tcp −−dpor t 80 −m nfacc t −−nfacc t−name ipv4 . h t t p
Eric Leblond () Ulogd2, Netfilter logging reloaded 19/ 40NFWS2013, Copenhagen 19 / 40
![Page 23: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/23.jpg)
Various output plugin
File-basedSyslogFilePCAPNACCT
DatabasesPGSQLMySQLSqlite
NetworkIPFIXGRAPHITE
Eric Leblond () Ulogd2, Netfilter logging reloaded 20/ 40NFWS2013, Copenhagen 20 / 40
![Page 24: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/24.jpg)
Treatment and filtering
Treatment pluginsDecoding plugins: BASE, IFINDEXConversion plugins: IP2STR, IP2BIN, MAC2STR
FilteringDecide if treatment has to be continuedMARK plugin: stop propagation through stack if there is no matchon mark
MultiplexingReusing INPUT dataMultiple logging
Eric Leblond () Ulogd2, Netfilter logging reloaded 21/ 40NFWS2013, Copenhagen 21 / 40
![Page 25: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/25.jpg)
Really use databases
Let dababase work to the databaseUse database capability
Procedure for insertionExtensible schemas
Optimize schemaAvoid empty fieldsIndex on most frequent request
Autoconfigurationulogd calls a procedureparams are taken from field name in a tableno need to recompile ulogd if we change the DB
Eric Leblond () Ulogd2, Netfilter logging reloaded 22/ 40NFWS2013, Copenhagen 22 / 40
![Page 26: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/26.jpg)
Easy modification
Procedure can do different things with dataProvided procedure
Insertion of all available data in DBFor connection trackingFor packet logging
Possible extensionArbitrary accountingStatistics
Eric Leblond () Ulogd2, Netfilter logging reloaded 23/ 40NFWS2013, Copenhagen 23 / 40
![Page 27: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/27.jpg)
Extensible database schemas
Eric Leblond () Ulogd2, Netfilter logging reloaded 24/ 40NFWS2013, Copenhagen 24 / 40
![Page 28: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/28.jpg)
Extensible database schemas
Easy to extendAdd table with your custom fieldlink ID of the new table with ulog2 ID.
Eric Leblond () Ulogd2, Netfilter logging reloaded 25/ 40NFWS2013, Copenhagen 25 / 40
![Page 29: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/29.jpg)
Use VIEW for usage ease
VIEW can be built for common task
TCP quad viewCREATE OR REPLACE VIEW view_tcp_quad ASSELECT ulog2._id,ulog2.ip_saddr_str,tcp.tcp_sport,
ulog2.ip_daddr_str,tcp.tcp_dportFROM ulog2 INNER JOIN tcp ON ulog2._id = tcp._tcp_id;
and provide easy select
TCP quad selectulog2=> SELECT ip_saddr_str,tcp_dport FROM view_tcp_quad;ip_saddr_str | tcp_dport
---------------+-----------148.60.18.179 | 1194148.60.18.179 | 1194
Eric Leblond () Ulogd2, Netfilter logging reloaded 26/ 40NFWS2013, Copenhagen 26 / 40
![Page 30: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/30.jpg)
Security interest
Analysed dropped trafficAttack attemptScansWorms or trojan trafficDetect invalid configuration
Analyse authorized trafficKeep a trace of access to critical dataForensic on succesful attackWork with other security subsystem
Eric Leblond () Ulogd2, Netfilter logging reloaded 27/ 40NFWS2013, Copenhagen 27 / 40
![Page 31: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/31.jpg)
Kernel event logging
Activate kernel event logging
echo 255 >/ proc / sys / net / n e t f i l t e r / n f_conn t rack_ log_ inva l i d
Display used log modules
cat / proc / net / n e t f i l t e r / n f_ log2 ipt_LOG ( ipt_LOG , n f n e t l i n k _ l o g )
10 ip6t_LOG ( ip6t_LOG , n f n e t l i n k _ l o g )
Activate nfnetlink_log (group 0) on IPv4 and IPv6
echo " n f n e t l i n k _ l o g " >/ proc / sys / net / n e t f i l t e r / n f_ log /2echo " n f n e t l i n k _ l o g " >/ proc / sys / net / n e t f i l t e r / n f_ log /10
Eric Leblond () Ulogd2, Netfilter logging reloaded 28/ 40NFWS2013, Copenhagen 28 / 40
![Page 32: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/32.jpg)
Djedi
A dashboard applicationDJango Extended Dashboard highly InteractiveProvides an ulogd2 applicationhttps://www.wzdftpd.net/redmine/projects/djedi
Eric Leblond () Ulogd2, Netfilter logging reloaded 29/ 40NFWS2013, Copenhagen 29 / 40
![Page 33: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/33.jpg)
Djedi: Demonstration
Video
Eric Leblond () Ulogd2, Netfilter logging reloaded 30/ 40NFWS2013, Copenhagen 30 / 40
![Page 34: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/34.jpg)
Security interest
Advantages of logging flow over logging packetStart timeEnd timeVolume information
Better view of severity of the eventDuration informationData volumeNAT information
Eric Leblond () Ulogd2, Netfilter logging reloaded 31/ 40NFWS2013, Copenhagen 31 / 40
![Page 35: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/35.jpg)
Recover internal IP from external data
Connection logging containsOrig IP tupleReply IP tuple
Someone from outside asks you information about an attack:Extern world only knows the Reply tupleConnection logging lead you to the IP at the origin of an attack
Eric Leblond () Ulogd2, Netfilter logging reloaded 32/ 40NFWS2013, Copenhagen 32 / 40
![Page 36: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/36.jpg)
Accounting
Per-flow accountingEach connection logging contains:
bytes usagepacket usage
Summing usage lead you to global statisticUsing any IP criteria (per port or per IP bandwith)Or using external information (per user bandwith)
May need to activate conntrack extension
echo " 1 " >/ proc / sys / net / n e t f i l t e r / n f_connt rack_acctecho " 1 " >/ proc / sys / net / n e t f i l t e r / nf_conntrack_t imestamp
Eric Leblond () Ulogd2, Netfilter logging reloaded 33/ 40NFWS2013, Copenhagen 33 / 40
![Page 37: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/37.jpg)
NF3D
Data visualisation tryoutRepresent both packet and connection on a graphLink packet to their corresponding connectionConnections are displayed in a GANTT fashion
Eric Leblond () Ulogd2, Netfilter logging reloaded 34/ 40NFWS2013, Copenhagen 34 / 40
![Page 38: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/38.jpg)
NF3D: SSH brute force
Eric Leblond () Ulogd2, Netfilter logging reloaded 35/ 40NFWS2013, Copenhagen 35 / 40
![Page 39: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/39.jpg)
NF3D: Demonstration
Video
Eric Leblond () Ulogd2, Netfilter logging reloaded 36/ 40NFWS2013, Copenhagen 36 / 40
![Page 40: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/40.jpg)
Netfilter accounting
Prerequisitenfacct and libnetfilter_acctUlogd 2.0.2 for Graphite output
Create countersnfacct add ipv4.httpnfacct add ipv6.http
Select data to accountip6tables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name ipv6.httpip6tables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name ipv6.httpiptables -I INPUT -p tcp --sport 80 -m nfacct --nfacct-name ipv4.httpiptables -I OUTPUT -p tcp --dport 80 -m nfacct --nfacct-name ipv4.http
Eric Leblond () Ulogd2, Netfilter logging reloaded 37/ 40NFWS2013, Copenhagen 37 / 40
![Page 41: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/41.jpg)
Ulogd and Graphite
Activate and setup the stackstack=acct1:NFACCT,graphite1:GRAPHITE
[acct1]pollinterval = 2
[graphite1]host="127.0.0.1"port="2003"
Eric Leblond () Ulogd2, Netfilter logging reloaded 38/ 40NFWS2013, Copenhagen 38 / 40
![Page 42: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/42.jpg)
A complete logging system
A full-featured logging daemon for NetfilterPacket loggingConnection loggingAccounting
Easy to extendVia pluginVia database modification
Eric Leblond () Ulogd2, Netfilter logging reloaded 39/ 40NFWS2013, Copenhagen 39 / 40
![Page 43: Ulogd2, Netfilter logging reloaded · iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace](https://reader036.vdocuments.net/reader036/viewer/2022062607/604b1a1422edfd50e53c1f36/html5/thumbnails/43.jpg)
Questions ?
ContactsDirectly: [email protected] List: [email protected]
ReferencesUlogd2:http://netfilter.org/projects/ulogd/index.html
Djedi:https://www.wzdftpd.net/redmine/projects/djedi
NF3D: https://home.regit.org/software/nf3dMy blog: https://home.regit.org/
Eric Leblond () Ulogd2, Netfilter logging reloaded 40/ 40NFWS2013, Copenhagen 40 / 40