Is there a way to add the connection type (new,established,related) to the log? I''m trying to make sure I haven''t shot myself in the foot again. Mike- -- If you''re not confused, you''re not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Monday 23 January 2006 08:23, Michael W Cocke wrote:> Is there a way to add the connection type (new,established,related) to > the log? I''m trying to make sure I haven''t shot myself in the foot > again.First, NEW, ESTABLISHED and RELATED are not connection types -- they are connection *states*. Second, the only way that you can create log records of packets in the ESTABLISHED and RELATED states is to place log rules in the ESTABLISHED and RELATED sections of the rules file where you can use log tags to distinguish the two (e.g., LOG:info:EST and LOG:info:REL). Third, logging of packets in any state other than NEW should only be performed for diagnostic purposes. The amount of log traffic you will generate will be astronomical and if you do something like running ''shorewall logwatch'' through a remote SSH session, you may lose control of your system. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 23 Jan 2006 08:49:25 -0800, you wrote:>On Monday 23 January 2006 08:23, Michael W Cocke wrote: >> Is there a way to add the connection type (new,established,related) to >> the log? I''m trying to make sure I haven''t shot myself in the foot >> again. > >First, NEW, ESTABLISHED and RELATED are not connection types -- they are >connection *states*.Sorry, I knew what I meant but not the correct term.>Second, the only way that you can create log records of packets in the >ESTABLISHED and RELATED states is to place log rules in the ESTABLISHED and >RELATED sections of the rules file where you can use log tags to distinguish >the two (e.g., LOG:info:EST and LOG:info:REL).Thanks, this did just what I needed.>Third, logging of packets in any state other than NEW should only be performed >for diagnostic purposes. The amount of log traffic you will generate will be >astronomical and if you do something like running ''shorewall logwatch'' >through a remote SSH session, you may lose control of your system.I know. The thing is, I''m having such a miserable time with snort and snort_inline (there are some heavy bugs in the current version, I''m about to try to fallback to a previous) that I need to prove to myself that the packets are going where I want them. Shorewall, bless you, is doing what I need just like always, but at this point I need to run both snort and snort_inline to get ANY output ANYWHERE (including both logs AND packets back out of the thing!), and I can''t find a way to absolutely test packet drops by rule, and at this point I have no confidence in it. Thanks for the help. Mike- -- If you''re not confused, you''re not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tue, 24 Jan 2006 10:19:11 -0600, you wrote:> >Mike, > >Can I ask you what some of the issues you are running into are? Are you >running Shorewall as a bridge or as a standard firewall?I''m not sure how clearly I can explain this, but I''ll try it. First, this pertains to both snort_inline and snort compiled with --enable-inline. I''ve installed all the prerequisites and compiled from scrath - repeatedly. No errors. The problem - having enabled mysql output and built a few custom rules that should log to the database things like GET on port 80, nothing is logged. I''ve enabled every log available in shorewall and it looks like the packets are going into the queue, but with no way to get output from snort/inline, I''m not satisfied that it''s doing anything. The display to the screen when running snort/inline with -v looks correct,but... The diag output (things like the database name) are screwed, almost like a memory crunch of some kind - and as I say, there''s no other output. I have a nasty suspicion that I''ve found a bug somewhere, but no one from snort or snort_inline want to hear that. As for bridge vs. standard, I''ve tried it both ways and had the same problems.>Also what version of Suse are you using at the moment. I''m going to try >to put up a SUSE firewall and see what I can find with that as well.I''m currently using 9.3 on that system. The footprint just about doubled between 9.3 and 10.0, mostly in things that that box doesn''t need, like w-lan, usb, and hal stuff. I''m currently trying one last idea. I was told about a firewall that one of the snort coders released called vuurmuur. I figure if anything will work in combine with snort, that''s it (the web page says it''s supposed to). I don''t like the idea, but I''m putting that firewall in place, just to see. If THAT works, then something is weird about the QUEUE facility in shorewall or in snort (bog knows how I''ll figure out which), but I''ll have narrowed it down that far. I also got a pointer to a sample program from the libcap (IIRC, I don''t have the msg here) docs that might be usable to monitor the queue - I''m going to try to hack that too. This should be fun - I last programmed on OS/2... I expect linux may be a bit different. 8-)> I really want to make this work, and if I have to blow a hole in hells ceiling to do it, ok. Mike->Thanks, >Jamie >-----Original Message----- >From: shorewall-users-admin@lists.sourceforge.net >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of >Michael W Cocke >Sent: Monday, January 23, 2006 12:09 PM >To: shorewall-users@lists.sourceforge.net >Subject: Re: [Shorewall-users] logging conn type (new, established)? > >On Mon, 23 Jan 2006 08:49:25 -0800, you wrote: > >>On Monday 23 January 2006 08:23, Michael W Cocke wrote: >>> Is there a way to add the connection type (new,established,related) >to >>> the log? I''m trying to make sure I haven''t shot myself in the foot >>> again. >> >>First, NEW, ESTABLISHED and RELATED are not connection types -- they >are >>connection *states*. > >Sorry, I knew what I meant but not the correct term. > >>Second, the only way that you can create log records of packets in the >>ESTABLISHED and RELATED states is to place log rules in the ESTABLISHED >and >>RELATED sections of the rules file where you can use log tags to >distinguish >>the two (e.g., LOG:info:EST and LOG:info:REL). > >Thanks, this did just what I needed. > >>Third, logging of packets in any state other than NEW should only be >performed >>for diagnostic purposes. The amount of log traffic you will generate >will be >>astronomical and if you do something like running ''shorewall logwatch'' >>through a remote SSH session, you may lose control of your system. > >I know. The thing is, I''m having such a miserable time with snort and >snort_inline (there are some heavy bugs in the current version, I''m >about to try to fallback to a previous) that I need to prove to myself >that the packets are going where I want them. Shorewall, bless you, is >doing what I need just like always, but at this point I need to run >both snort and snort_inline to get ANY output ANYWHERE (including both >logs AND packets back out of the thing!), and I can''t find a way to >absolutely test packet drops by rule, and at this point I have no >confidence in it. > >Thanks for the help. > >Mike- >-- >If you''re not confused, you''re not trying hard enough.-- If you''re not confused, you''re not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Mike, A quick test I''ve done to see if snort_inline is actually dropping packets based on the rules. Modify the icmp.rule that comes with the standard snort release, replacing all alerts to drops, Make sure to use any to any. Put that rule in your rules directory and add it to your snort.conf file. Run snort and attempt to ping the firewall, a normal ping should work fine (if QUEUE is used), if that works try upping the packet size to 801, you should now get timeouts. ping -s 801 <firewall IP> Hope maybe that helps some. Jamie -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Michael W Cocke Sent: Tuesday, January 24, 2006 1:35 PM To: shorewall-users@lists.SOURCEFORGE.net Subject: Re: [Shorewall-users] logging conn type (new, established)? On Tue, 24 Jan 2006 10:19:11 -0600, you wrote:> >Mike, > >Can I ask you what some of the issues you are running into are? Areyou>running Shorewall as a bridge or as a standard firewall?I''m not sure how clearly I can explain this, but I''ll try it. First, this pertains to both snort_inline and snort compiled with --enable-inline. I''ve installed all the prerequisites and compiled from scrath - repeatedly. No errors. The problem - having enabled mysql output and built a few custom rules that should log to the database things like GET on port 80, nothing is logged. I''ve enabled every log available in shorewall and it looks like the packets are going into the queue, but with no way to get output from snort/inline, I''m not satisfied that it''s doing anything. The display to the screen when running snort/inline with -v looks correct,but... The diag output (things like the database name) are screwed, almost like a memory crunch of some kind - and as I say, there''s no other output. I have a nasty suspicion that I''ve found a bug somewhere, but no one from snort or snort_inline want to hear that. As for bridge vs. standard, I''ve tried it both ways and had the same problems.>Also what version of Suse are you using at the moment. I''m going to try >to put up a SUSE firewall and see what I can find with that as well.I''m currently using 9.3 on that system. The footprint just about doubled between 9.3 and 10.0, mostly in things that that box doesn''t need, like w-lan, usb, and hal stuff. I''m currently trying one last idea. I was told about a firewall that one of the snort coders released called vuurmuur. I figure if anything will work in combine with snort, that''s it (the web page says it''s supposed to). I don''t like the idea, but I''m putting that firewall in place, just to see. If THAT works, then something is weird about the QUEUE facility in shorewall or in snort (bog knows how I''ll figure out which), but I''ll have narrowed it down that far. I also got a pointer to a sample program from the libcap (IIRC, I don''t have the msg here) docs that might be usable to monitor the queue - I''m going to try to hack that too. This should be fun - I last programmed on OS/2... I expect linux may be a bit different. 8-)> I really want to make this work, and if I have to blow a hole in hells ceiling to do it, ok. Mike->Thanks, >Jamie >-----Original Message----- >From: shorewall-users-admin@lists.sourceforge.net >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of >Michael W Cocke >Sent: Monday, January 23, 2006 12:09 PM >To: shorewall-users@lists.sourceforge.net >Subject: Re: [Shorewall-users] logging conn type (new, established)? > >On Mon, 23 Jan 2006 08:49:25 -0800, you wrote: > >>On Monday 23 January 2006 08:23, Michael W Cocke wrote: >>> Is there a way to add the connection type (new,established,related) >to >>> the log? I''m trying to make sure I haven''t shot myself in the foot >>> again. >> >>First, NEW, ESTABLISHED and RELATED are not connection types -- they >are >>connection *states*. > >Sorry, I knew what I meant but not the correct term. > >>Second, the only way that you can create log records of packets in the>>ESTABLISHED and RELATED states is to place log rules in theESTABLISHED>and >>RELATED sections of the rules file where you can use log tags to >distinguish >>the two (e.g., LOG:info:EST and LOG:info:REL). > >Thanks, this did just what I needed. > >>Third, logging of packets in any state other than NEW should only be >performed >>for diagnostic purposes. The amount of log traffic you will generate >will be >>astronomical and if you do something like running ''shorewall logwatch''>>through a remote SSH session, you may lose control of your system. > >I know. The thing is, I''m having such a miserable time with snort and >snort_inline (there are some heavy bugs in the current version, I''m >about to try to fallback to a previous) that I need to prove to myself >that the packets are going where I want them. Shorewall, bless you, is >doing what I need just like always, but at this point I need to run >both snort and snort_inline to get ANY output ANYWHERE (including both >logs AND packets back out of the thing!), and I can''t find a way to >absolutely test packet drops by rule, and at this point I have no >confidence in it. > >Thanks for the help. > >Mike- >-- >If you''re not confused, you''re not trying hard enough.-- If you''re not confused, you''re not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments, ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642