Table of Contents
Lire™ supports logs from many packet filter firewalls.
Cisco routers that use IOS™ can log activity via syslog. Lire™ is able to process the logs entries corresponding to the packet filters.
Example 11.1. IOS Log Sample
Aug 19 04:02:34 1.example.com.nl 218963: Aug 19 04:02:32.977: \ %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed \ state to down Aug 19 04:02:34 1.example.com.nl 218964: Aug 19 04:02:33.262: \ %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from \ 172605440 teraar, call lasted 42 seconds Aug 19 04:02:35 1.example.com.nl 218965: Aug 19 04:02:33.266: \ %LINK-3-UPDOWN: Interface BRI0:1, changed state to down Aug 19 04:02:38 1.example.com.nl 218966: Aug 19 04:02:36.103: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.1(4652) -> \ 10.0.0.2(80), 1 packet Aug 19 04:02:45 1.example.com.nl 218967: Aug 19 04:02:43.543: \ %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 86 changed to down Aug 19 04:02:53 1.example.com.nl 218968: Aug 19 04:02:51.471: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.3(2162) -> \ 10.0.0.4(80), 1 packet Aug 19 04:03:06 1.example.com.nl 218969: Aug 19 04:03:04.585: \ %ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 86 changed to down Aug 19 04:03:10 1.example.com.nl 218970: Aug 19 04:03:08.867: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.5(2342) -> \ 10.0.0.6(80), 1 packet Aug 19 04:03:12 1.example.com.nl 218971: Aug 19 04:03:10.771: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.7(1093) -> \ 10.0.0.8(80), 1 packet Aug 19 04:03:36 1.example.com.nl 218972: Aug 19 04:03:34.373: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.9(3173) -> \ 10.0.0.10(80), 1 packet
IPChains will log packets marked for logging through\ syslog (actually the kernel log buffer which is usually sent to syslog). Lire™ expects the logs in the form of a syslog log file.
Example 11.2. IPChains Log Sample
Oct 28 04:02:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=36930 F=0x0000 T=64 (#7) Oct 28 04:07:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37211 F=0x0000 T=64 (#7) Oct 28 04:07:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=256 S=0x00 I=37213 F=0x0000 T=64 (#7) Oct 28 04:07:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=236 S=0x00 I=37214 F=0x0000 T=64 (#7) Oct 28 04:08:20 firewall kernel: Packet log: output DENY lo PROTO=17 \ 10.0.0.5:138 10.0.0.2:138 L=256 S=0x00 I=37216 F=0x0000 T=64 (#7) Oct 28 04:12:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37255 F=0x0000 T=64 (#7) Oct 28 04:17:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37364 F=0x0000 T=64 (#7) Oct 28 04:19:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=256 S=0x00 I=37440 F=0x0000 T=64 (#7) Oct 28 04:19:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=236 S=0x00 I=37441 F=0x0000 T=64 (#7) Oct 28 04:20:20 firewall kernel: Packet log: output DENY lo PROTO=17 \ 10.0.0.5:138 10.0.0.2:138 L=256 S=0x00 I=37453 F=0x0000 T=64 (#7)
IP Filter logs selected packets through syslog.
Example 11.3. IP Filter Log Sample
Oct 30 07:42:29 firewall ipmon[16747]: 07:42:28.585962 ie0 @0:9 \ b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT Oct 30 07:40:24 firewall ipmon[16747]: 07:40:23.631307 ep1 @0:6 \ b 192.168.26.5,113 -> 192.168.26.1,3717 PR tcp len 20 40 -AR OUT Oct 30 07:42:29 firewall ipmon[16747]: 07:42:28.585962 ie0 @0:9 \ b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT Oct 30 07:44:11 firewall ipmon[16747]: 07:44:10.605416 2x ep1 @0:15 \ b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN Oct 30 07:44:34 firewall ipmon[16747]: 07:44:33.891869 ie0 @0:10 \ b 192.168.48.1,23406 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
IPTables will log packets marked for logging through syslog (actually the kernel log buffer which is usually sent to syslog). Lire™ expects the logs in the form of a syslog log file.
A problem with logs from IPTables is that we have no real idea of what happened with the packet (was it denied or permitted). The logging module of IPtables permit to tag each logged packet with a prefix. Lire™ will interpret packets having a prefix which contains the strings denied, drop, deny or reject as denied packets. All other packets will have an unknown action value (-).
Example 11.4. IPTables Log Sample
Sep 21 11:45:17 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38365 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:45:20 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38478 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:45:26 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38680 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:46 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54122 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:49 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54222 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:55 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54443 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
The WELF format is a format developed by WebTrends and supported by many firewall vendors. Products can save log files in that format directly or can log through syslog. Either native WELF log files or syslog's log files contain WELF information. Although the log format isn't designed for packet filter firewalls (it can contain information from devices that do network intrusion or proxy services), Lire™ does its best to map this information to something that can be meaningful.
Example 11.5. WELF Log Sample
WTsyslog[1998-08-01 14:05:46 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 04:10:23" fw=WebTrendsSample pri=5 \ msg="ICMP packet dropped" src=10.0.0.2 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:31:00 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:35:38" fw=WebTrendsSample pri=6 \ proto=tcp/443 src=10.0.0.4 dst=10.0.0.5 rcvd=4844 WTsyslog[1998-08-01 16:31:01 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:35:38" fw=WebTrendsSample pri=6 proto=tcp/443 \ src=10.0.0.4 dst=10.0.0.5 rcvd=6601 WTsyslog[1998-08-01 16:43:59 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:48:36" fw=WebTrendsSample pri=5 \ msg="UDP packet dropped" src=10.0.0.6 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:46:13 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:50:50" fw=WebTrendsSample pri=5 \ msg="UDP packet dropped" src=10.0.0.7 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:46:13 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:50:50" fw=WebTrendsSample pri=6 proto=telnet \ src=10.0.0.4 dst=10.0.0.8 sent=1194
Lire™ also supports some extension uses by SonicWall.
Example 11.6. SonicWall Log Sample
Jan 7 15:01:10 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:42:13" fw=10.0.0.1 pri=6 c=1 m=30 \ msg="Administrator login failed - incorrect password" n=1 \ src=10.0.0.2:LAN dst=10.0.0.1 Jan 7 15:01:16 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:42:19" fw=10.0.0.1 pri=6 c=1 m=29 \ msg="Successful administrator login" n=1 src=10.0.0.2:LAN dst=10.0.0.1 Jan 7 15:02:32 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:43:34" fw=10.0.0.1 pri=5 c=128 m=37 \ msg="UDP packet dropped" n=1 src=10.0.0.3:68 dst=10.0.0.4:67 dstname=DHCP Jan 7 15:31:43 lire id=firewall time="2002-01-07 15:20:21" \ fw=10.0.0.5 pri=6 proto=dns src=10.0.0.6 dst=10.0.0.8 rcvd=130 \ sn=asdlFFFXSD 54 c=1024 m=98 n=31 Jan 7 15:31:43 10.0.0.5 id=firewall time="2002-01-07 15:20:21" \ fw=10.0.0.5 pri=6 proto=dns src=10.0.0.6 dst=10.0.0.9 rcvd=130 \ sn=asdlFFFXSD 54 c=1024 m=98 n=32