Log samples for IplogΒΆ

Some log samples for iplog

Nov  9 16:24:47 TCP: ftp connection attempt from mail.derkeiler.com (195.140.232.116):52516
Nov  9 16:24:47 TCP: pptp connection attempt from mail.derkeiler.com (195.140.232.116):51624
Nov  9 16:24:47 TCP: domain connection attempt from mail.derkeiler.com (195.140.232.116):56341
Nov  9 16:24:47 TCP: ldaps connection attempt from mail.derkeiler.com (195.140.232.116):57057
Nov  9 16:24:47 TCP: https connection attempt from mail.derkeiler.com (195.140.232.116):2032
Nov  9 16:24:47 TCP: ldap connection attempt from mail.derkeiler.com (195.140.232.116):53716
Nov  9 16:24:47 TCP: rdp connection attempt from mail.derkeiler.com (195.140.232.116):62101
Nov  9 16:24:47 TCP: rtsp connection attempt from mail.derkeiler.com (195.140.232.116):60003
Nov  9 16:24:49 TCP: rtsp connection attempt from mail.derkeiler.com (195.140.232.116):58672
Nov  9 16:24:49 TCP: pptp connection attempt from mail.derkeiler.com (195.140.232.116):56416
Nov  9 16:24:49 TCP: rdp connection attempt from mail.derkeiler.com (195.140.232.116):50295
Nov  9 16:24:49 TCP: https connection attempt from mail.derkeiler.com (195.140.232.116):53896
Nov  9 16:24:49 TCP: ldap connection attempt from mail.derkeiler.com (195.140.232.116):65200
Nov  9 16:24:49 TCP: ftp connection attempt from mail.derkeiler.com (195.140.232.116):61067
Nov  9 16:24:49 TCP: port scan detected [ports 21,1723,53,636,443,389,3389,554] from mail.derkeiler.com (195.140.232.116) [ports 52516,51624$
Nov  9 16:26:39 TCP: port scan mode expired for mail.derkeiler.com (195.140.232.116) - received a total of 3308 packets (132320 bytes).

=iplog= iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP, and ICMP traffic. iplog is able to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP “smurf” attacks, bogus TCP flags, TCP SYN scans, TCP “Xmas” scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function.

=iplog.conf=

the syslog, user, group and internal network configuration is not show (OS dependient) iplog can log in diferets ways depending of the configuration parameters (DNS resolv, log_dest, etc), the proposed decoders and rules only work with the logs later described, this configuration file extract is functional with this requeriment, please read man iplog and man iplog.conf

<nowiki># Log the IP address as well as the hostname of packets.</nowiki>

set log_ip true

<nowiki># Do not log the destination of packets (more presentable logs)</nowiki>

set log_dest false

<nowiki># Ignore DNS traffic from nameservers in /etc/resolv.conf.</nowiki>

set ignore_dns true

<nowiki># I dont want too many logs: ignore www, netbios, microsoft-ds loc-srv, 5900 tcp/port conecctions, not all the OS recognize the port alias, replace with de adecuate port number</nowiki>

ignore tcp dport 80

ignore tcp dport netbios-ssn

ignore tcp dport microsoft-ds

ignore tcp dport loc-srv

ignore tcp dport 5900

<nowiki># Port Scan Check</nowiki>

set portscan true

set icmp true

set frag true

set smurf true

set bogus true

set fin_scan true

set syn_scan true

set udp_scan true

set fool_nmap false

set xmas_scan true

set null_scan true

set ping_flood true

set traceroute true

=iplog: Scan and attack responses=

==’‘’Connect Scan and SYN scan’‘’== nmap -sT -PI -PT 10.10.160.2

‘’‘iplog response’‘’

Nov 14 18:09:08 TCP: domain connection attempt from 10.10.150.1:51239

Nov 14 18:09:08 TCP: https connection attempt from 10.10.150.1:51240

Nov 14 18:09:08 TCP: port 1723 connection attempt from 10.10.150.1:51241

Nov 14 18:09:08 TCP: ftp connection attempt from 10.10.150.1:51242

Nov 14 18:09:08 TCP: smtp connection attempt from 10.10.150.1:51243

Nov 14 18:09:08 TCP: port 3389 connection attempt from 10.10.150.1:51244

Nov 14 18:09:08 TCP: auth connection attempt from 10.10.150.1:51245

Nov 14 18:09:08 TCP: port 636 connection attempt from 10.10.150.1:51246

Nov 14 18:09:08 TCP: port 256 connection attempt from 10.10.150.1:51247

Nov 14 18:09:08 TCP: port 554 connection attempt from 10.10.150.1:51248

Nov 14 18:09:08 TCP: telnet connection attempt from 10.10.150.1:51249

Nov 14 18:09:08 TCP: port 389 connection attempt from 10.10.150.1:51250

Nov 14 18:09:08 TCP: ssh connection attempt from 10.10.150.1:51251

Nov 14 18:09:08 TCP: port 486 connection attempt from 10.10.150.1:51253

<font color=”red”>Nov 14 18:09:08 TCP: port scan detected [ports 53,443,1723,21,25,3389,113,636,256,554,...] from 10.10.150.1 [ports 51242,51243,...]</font>

Nov 14 18:09:08 UDP: dgram to port 1 from 10.10.150.1:34324 (300 data bytes)

<font color=”red”>Nov 14 18:09:12 TCP: SYN scan detected [ports 21,1] from 10.10.150.1 [ports 34333,34335,34325,34326,34327,...]</font>

Nov 14 18:09:12 UDP: dgram to port 1 from 10.10.150.1:34324 (300 data bytes)

Nov 14 18:10:02 last message repeated 1 times

Nov 14 18:10:02 TCP: port scan mode expired for 10.10.150.1 - received a total of 1678 packets (47092 bytes).

Nov 14 18:10:09 TCP: SYN scan mode expired for 10.10.150.1 - received a total of 24 packets (960 bytes).

==’‘’FIN Stealth Scan’‘’== nmap -sF -p- -PI -PT 10.10.150.2

‘’‘iplog response’‘’

<font color=”red”>Nov 14 18:22:51 TCP: FIN scan detected [ports 3389,1723,256,113,22,389,554,443,21,23,...] from 10.10.150.1 [port 57876]</font>

Nov 14 18:24:05 TCP: FIN scan mode expired for 10.10.150.1 - received a total of 65535 packets (1310700 bytes)

==’‘’NULL Stealth Scan’‘’== nmap -sN -p- -PI -PT 10.10.150.2

‘’‘iplog response’‘’

<font color=”red”>Nov 14 18:26:58 TCP: null scan detected [ports 636,53,23,3389,1723,443,113,554,25,21,...] from 10.10.150.1 [port 35444]</font>

Nov 14 18:28:14 TCP: null scan mode expired for 10.10.150.1 - received a total of 65534 packets (1310680 bytes)

==’‘’Xmas Tree Stealth Scan’‘’== nmap -sX -p- -PI -PT 10.10.150.2

‘’‘iplog response’‘’

<font color=”red”>Nov 14 18:30:30 TCP: Xmas scan detected [ports 636,256,554,389,1723,53,443,21,3389,22,...] from 10.10.150.1 [port 42399]</font>

Nov 14 18:31:48 TCP: Xmas scan mode expired for 10.10.150.1 - received a total of 65532 packets (1310640 bytes).

==’‘’UDP port scan’‘’== nmap -sU -p- -PI -PT 10.10.150.2

‘’‘iplog response’‘’

Nov 14 18:34:59 UDP: dgram to port 33161 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 41107 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 63571 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 48714 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 25271 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 13612 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 41094 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 52700 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 11482 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 62794 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 28270 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 27081 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 10866 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 63494 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 28686 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 44600 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 21771 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 53283 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 44436 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 46916 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 30519 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:34:59 UDP: dgram to port 8041 from 10.10.150.1:60362 (0 data bytes)

Nov 14 18:35:00 UDP: dgram to port 8041 from 10.10.150.1:60363 (0 data bytes)

Nov 14 18:35:00 UDP: dgram to port 30519 from 10.10.150.1:60363 (0 data bytes)

<font color=”red”>Nov 14 18:35:00 UDP: scan/flood detected [ports 33161,41107,63571,48714,25271,...] from 10.10.150.1 [ports 60362]</font>

Nov 14 18:39:15 UDP: scan/flood mode expired for 10.10.150.1 - received a total of 356 packets (2848 bytes).

==’‘’traceroute’‘’== traceroute 10.10.150.1

‘’‘iplog response’‘’

<font color=”red”>Nov 14 18:57:18 UDP: traceroute from 10.10.150.2</font>

==’‘’Flood ping attack’‘’== ping -f 10.10.150.2

‘’‘iplog response’‘’

<font color=”red”>Nov 14 19:09:33 ICMP: ping flood detected from 10.10.150.1</font>

Nov 14 19:11:29 ICMP: ping flood mode expired for 10.10.150.1 - received a total of 428 packets (8416000 bytes).

==’‘’IP fragment attacks’‘’== TODO

==’‘’UDP and ICMP “smurf” attacks’‘’== Nov 18 19:12:30 ICMP/UDP: smurf attack detected from 201.223.41.0

<font color=”red”>Nov 18 19:23:30 ICMP/UDP: smurf attack detected from 201.223.41.0</font>

Nov 18 19:28:07 ICMP/UDP: smurf attack mode expired for 201.223.41.0 - received a total of 337 packets (21568 bytes).

==’‘’Another interesting logs’‘’==

‘’‘bogus TCP flags’‘’

<font color=”red”>Nov 14 15:57:56 TCP: Bogus TCP flags set by 10.10.160.2:60873 (dest port 25)</font>

=’‘’OSSEC (HIDS) + iplog (sensor) implementation’‘’= *Work in progress *TODO: improve regex, decoders and rules. p0f complementation? *Configuration tested in FreeBSD 6.1 and archlinux gimmick *Last modification 14/Nov/2006

==’‘’iplog decoder’‘’==

‘’‘For this logs:’‘’

Nov 14 18:09:12 TCP: SYN scan detected [ports 21,1] from 10.10.150.1 [ports 34333,34335,34325,34326,34327,...]

Nov 14 18:09:08 TCP: port scan detected [ports 53,443,1723,21,25,3389,113,636,256,554,...] from 10.10.150.1 [ports 51242,51243,...]

Nov 14 18:22:51 TCP: FIN scan detected [ports 3389,1723,256,113,22,389,554,443,21,23,...] from 10.10.150.1 [port 57876]

Nov 14 18:26:58 TCP: null scan detected [ports 636,53,23,3389,1723,443,113,554,25,21,...] from 10.10.150.1 [port 35444]

Nov 14 18:30:30 TCP: Xmas scan detected [ports 636,256,554,389,1723,53,443,21,3389,22,...] from 10.10.150.1 [port 42399]

‘’‘a working decoder is:’‘’

<decoder name=”iplog-scan”>
<prematch>S+ scan detected</prematch> <regex offset=”after_prematch”>S+ S+ from (S+)</regex> <order>srcip</order>

</decoder>

‘’‘For this log:’‘’

Nov 14 18:35:00 UDP: scan/flood detected [ports 33161,41107,63571,48714,25271,...] from 10.10.150.1 [ports 60362]

‘’‘a proppossed decoder is (not tested):’‘’

<decoder name=”iplog-flood”>
<prematch>scan/flood detected</prematch> <regex offset=”after_prematch”>S+ S+ from (S+)</regex> <order>srcip</order>

</decoder>

‘’‘For this log:’‘’

Nov 14 19:09:33 ICMP: ping flood detected from 10.10.150.1

‘’‘a proppossed decoder is (not tested):’‘’

<decoder name=”iplog-pingflood”>
<prematch>ping flood detected from</prematch> <regex offset=”after_prematch”>(S+)</regex> <order>srcip</order>

</decoder>

‘’‘For this log:’‘’ (necesary to include???????) i Think no (very paranoic)

Nov 14 18:57:18 UDP: traceroute from 10.10.150.2

‘’‘a proppossed decoder is (not tested):’‘’

<decoder name=”iplog-traceroute”>
<prematch>pingtraceroute from</prematch> <regex offset=”after_prematch”>(S+)</regex> <order>srcip</order>

</decoder>

‘’‘For this log:’‘’ (necesary to include???????) i Think no (very paranoic)

Nov 14 15:57:56 TCP: Bogus TCP flags set by 10.10.160.2:60873 (dest port 25)

‘’‘a proppossed decoder is (not tested):’‘’

<decoder name=”iplog-bogustcp”>
<prematch>Bogus TCP flags set by</prematch> <regex offset=”after_prematch”>(d+.d+.d+.d+):d+</regex> <order>srcip</order>

</decoder>

==’‘’iplog rules’‘’==

Only for working decoders

cd ~/ossec/rules touch iplog_rules.xml chown root:ossec iplog_rules.xml chmod 550 iplog_rules.xml

in iplog_rules.xml include:

<group name=”syslog,errors,”>
<rule id=”99990” level=”6”>
<decoded_as>iplog-scan</decoded_as> <description>iplog scan detect</description>

</rule>

</group>

==’‘’ossec.conf’‘’==

cd ~/ossec/etc vi ossec.conf

include in the correct place:

<include>iplog_rules.xml</include>

and

<localfile>
<log_format>syslog</log_format> <location>/var/log/iplog</location>

</localfile>

or wherever you put your iplog logs

start iplog

iplog -d

restart ossec

~/ossec/bin/ossec-control restart

test with nmap (see before)

=’‘’OSSEC active-response’‘’=

==’‘’Firewall Drop: FreeBSD-IPFW’‘’== add to your ipfw script the follow lines, if you are using the 00001 rule number disoccupying:

/sbin/ipfw add 00001 deny ip from table(00002) to any /sbin/ipfw add 00001 deny ip from any to table(00002)

Change ~/ossec/active-response/bin/firewall-drop.sh to adjust to the red lines

<nowiki>#!/bin/sh</nowiki> <nowiki># Adds an IP to the IPFW drop list.</nowiki> <nowiki># Only works with IPFW.</nowiki> <nowiki># We use TABLE 00001. If you use this table for anything else,</nowiki> <nowiki># please change it here.</nowiki> <nowiki># Expect: srcip</nowiki> <nowiki># Author: Rafael Capovilla - under @ ( at ) underlinux.com.br</nowiki> <nowiki># Author: Daniel B. Cid - dcid @ ( at ) ossec.net</nowiki> <nowiki># Last modified: May 07, 2006</nowiki> UNAME=`uname` IPFW=”/sbin/ipfw” ARG1=”” ARG2=”” ACTION=$1 USER=$2 IP=$3 <font color=”red”>TABLE_ID=00002</font> LOCAL=`dirname $0`; cd $LOCAL cd ../ PWD=`pwd` echo “date $0 $1 $2 $3” >> ${PWD}/ossec-hids-responses.log <nowiki># Checking for an IP</nowiki> if [ “x${IP}” = “x” ]; then

echo “$0: <action> <username> <ip>” exit 1;

fi <nowiki># Blocking IP</nowiki> if [ “x${ACTION}” != “xadd” -a “x${ACTION}” != “xdelete” ]; then

echo “$0: Invalid action: ${ACTION}” exit 1;

fi <nowiki># We should run on FreeBSD</nowiki> <nowiki># We always use table 00001 and rule id 00001.</nowiki> if [ “X${UNAME}” = “XFreeBSD” ]; then

ls ${IPFW} >> /dev/null 2>&1 if [ $? != 0 ]; then

exit 0;

fi

<nowiki> # Check if our table is set</nowiki> <font color=”red”> ${IPFW} show | grep “^00001” | grep “table(2)” >/dev/null 2>&1</font>

if [ ! $? = 0 ]; then
# We need to add the table ${IPFW} -q 00001 add deny ip from table(${TABLE_ID}) to any ${IPFW} -q 00001 add deny ip from any to table(${TABLE_ID})

fi

<nowiki> # Executing and exiting</nowiki>
${IPFW} -q table ${TABLE_ID} ${ACTION} ${IP} exit 0;

fi <nowiki># Not FreeBSD</nowiki> exit 1;

Include in ~/ossec/etc/ossec.conf:

<command>
<name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect>

</command>

<active-response>

<disabled>no</disabled> <command>firewall-drop</command> <location>local</location>

<rules_id>99990</rules_id>

</active-response>

restart ossec:
~/ossec/bin/ossec-control restart
Scan your machine (caution OSSEC will block the scanner IP) from online scanner server like: http://www.derkeiler.com/Service/PortScan/, or from a remote machine with:
nmap -sT -PI -PT 1.2.3.4
look if the active-response works with:
/sbin/ipfw table 2 list
or
tail -f ~/ossec/active-response/ossec-hids-responses.log
if you want to flush the banned IPs in the table
/sbin/ipfw table 2 flush
or want to remove a specific IP in the table
/sbin/ipfw table 2 delete 1.2.3.4

if you want to flush the table every 24 Hrs:

vi /etc/crontab
and include
0 */24 * * * root /sbin/ipfw table 2 flush > /dev/null 2>&1

=More restrictions=

*‘’‘iplog.conf’‘’ To Enable or disable a mechanism that attempts to fool programs, such as nmap and queso, that perform remote OS detection, add the follow line to iplog.conf

set fool_nmap true

As a side effect, enabling this option will also cause most of nmap’sstealth” scans to fail.

*‘’‘BSD’s sysctl (some FreeBSD especific)’‘’

tcp_drop_synfin net.inet.tcp.blackhole net.inet.udp.blackhole

[[Category:rules]] [[Category:decoders]]