Saturday, January 06, 2007

How to analyze Shorewall Log?

Do you know how to analyze firewall log??? For those whore are interested in network security field, understanding firewall logs is extremely valuable to them. Before this, I stated in my previous article about Shorewall Firewall. In that article, I discussed how to setup simple firewall using Shorewall.
In this article, i will show you how to analyze firewall log in Shorewall. Shorewall is one of the high-level tools for Netfilter. This is a simple reference for the format used by the netfilter log messages. Below is a Shorewall log message generated by netfilter:

Dec 5 01:21:37 monitoring12 kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 src= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4923 DF PROTO=TCP SPT=42368 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0

Details in sequence of Shorewall log:
  • Dec 5 01:21:37 monitoring12 kernel: -syslog prefix.
  • Shorewall:net2all:DROP -The Shorewall policy and zones defines in /etc/shorewall/policy. The packet was received from outside Internet (net) to any other network or DMZ zone (all) will dropped.
  • IN=eth0 -Interface where the packet was received from. Empty value means locally generated packets.
  • OUT= -Interface where the packet was sent to. Empty value means locally received packets.
  • MAC=00:07:e9:f1:9f:85:00:07:e9:f1:a0:85:08:00 -Destination MAC: 00:07:e9:f1:9f:85, SourceMAC :00:07:e9:f1:a0:85, Type=08:00 (ethernet frame carried an IPv4 datagram)
  • src= -Source IP address
  • DST= -Destination IP address
  • LEN=60 -Total length of IP packet in bytes
  • TOS=0x00 -Type Of Service, "Type" field. Increasingly being replaced byDS and ECN. Refer to RFC 791 for IP Header info.
  • PREC=0x00 -Type Of Service, "Precedence" field.Increasingly being replaced by DS and ECN. Refer to RFC 791 for IP Header info.
  • TTL=64 -remaining Time To Live (TTL) is 64 hops.
  • ID=4923 -Unique ID for this IP datagram, shared by all fragments if fragmented.
  • DF -"Don't Fragment" flag.
  • PROTO=TCP -Protocol name or number. Netfilter uses names for TCP,UDP,ICMP, AH and ESP. The other protocols are identified by number. List of protocols in /etc/protocols.
  • SPT=42368 -Source port (TCP or UDP port). Refer to /etc/services for port numbers.
  • DPT=22 -Destination port (TCP or UDP port)
  • WINDOW=5840 -The TCP Receive Window size. This may be scaled by bit-shifting left by a number of bits specified in the "Window Scale" TCP option.
  • RES=0x00 -Reserved bits. Refer to RFC 793 for TCP Header Format info.
  • SYN -SYN flag, only exchanged at TCP connection establishment.
  • URGP=0 - The Urgent Pointer allows for urgent, out of band data transfer.
To analyze firewall logs, you must have strong understanding of TCP/IP such as protocol header information. You need to know IP header format (RFC791), TCP header format (RFC793) and UDP header format (RFC768). I think this is simple or quick reference analysis, not details analysis. But this is a good for me to strengthen my knowledge in firewall analysis.

1 comment:

Anonymous said...

Can anyone recommend the well-priced Remote Management & Monitoring tool for a small IT service company like mine? Does anyone use or How do they compare to these guys I found recently: N-able N-central configuration management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!