Sign-in / Sign-up
Your question

Iptables log analysis tool, not reporting tool?

Tags:
  • Firewalls
  • Security
  • Servers
  • Networking
Last response: in Networking
Anonymous
a b 8 Security
May 29, 2004 5:48:49 AM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I'm running a Linux server and receive about 3000-5000 hits on my
firewall daily. I'm running fwlogwatch to create daily reports and
from these I can see all hits on the firewall, source address, source
network name, ports, hit counts etc. etc. Just like any ordinary
*reporting* tool...

However, this information doesn't give me enough intelligence to
understand if a hit on the firewall is a virus or a serious attempt
from a real hacker. Also, it's a lot of info to browse through every
morning.

Is there any more advanced iptables *analysis* tool that can filter
out the behaviour of known viruses and create a report with just the
non-virus attacks, which is what I'm really interested in? The ideal
would be if the tool's rules were updated as new viruses appear.

Any ideas? Anyone?

Thanks in advance
Henrik Sjöstrand

More about : iptables log analysis tool reporting tool

Anonymous
a b 8 Security
June 2, 2004 5:21:14 PM

Archived from groups: comp.security.firewalls (More info?)

Henrik Sjostrand wrote:

> I'm running a Linux server and receive about 3000-5000 hits on my
> firewall daily.

Absolutely normal and nothing to worry about.

> I'm running fwlogwatch to create daily reports and
> from these I can see all hits on the firewall, source address, source
> network name, ports, hit counts etc. etc. Just like any ordinary
> *reporting* tool...

Well, you see rejected connection attempts, fine, just sit back and relax,
nothing to worry about.

> However, this information doesn't give me enough intelligence to
> understand if a hit on the firewall is a virus or a serious attempt
> from a real hacker.

iptables is a packet filter and thus - as any packet filter - knows
absolutely nothing about payload.

> Also, it's a lot of info to browse through every morning.

Just forget about that.

> Is there any more advanced iptables *analysis* tool that can filter
> out the behaviour of known viruses and create a report with just the
> non-virus attacks, which is what I'm really interested in?

Impossible task for any packet filter.

> The ideal would be if the tool's rules were updated as new viruses appear.

Packet filters know nothing about payload. If you want to analyze packet
content you need some sort of intrusion detection system (IDS). snort would
be a possibility.

http://www.snort.org

> Any ideas? Anyone?

Yes, understand the basics first. The network layer model belongs to those
basics. With this knowledge you'd have been able to realize that what you
want is technically impossible since any packet filter works on layers
below the application level layer and therefore does neither know nor care
about payload.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind
Peter Gabriel, Not one of us, 1980