ulogd2 advanced firewall logging

Ulogd2, Advanced firewall logging Eric Leblond INL 172 rue de - PowerPoint PPT Presentation

Mar 25, 2024 •141 likes •533 views

Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Ulogd2, Advanced firewall logging Eric Leblond INL 172 rue de Charonne 75011 Paris, France RMLL 2009, July 8, Nantes Eric Leblond INL 172 rue de

  1. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Ulogd2, Advanced firewall logging Eric Leblond INL 172 rue de Charonne 75011 Paris, France RMLL 2009, July 8, Nantes Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 1/ 38

  2. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about me NuFW main developper INL co-founder Netfilter hacker some kernel stuff userspace library ulogd2 organizer of Netfilter Workshop 2008 Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 2/ 38

  3. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging history At the beginning was syslog Pre Netfilter days Flat packet logging One line per packet A lot of information Non searchable INPUT DROP IN=eth0 OUT= MAC=00:1a:92:05:ee:68:00:b0:8e:83:3b:f0:08:00 SRC=62.212.121.211 \ DST=91.121.73.151 LEN=60 TOS=0x00 PREC=0x00 TTL=58 ID=35342 DF PROTO=TCP SPT=59261 \ DPT=113 WINDOW=5440 RES=0x00 SYN URGP=0 Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 3/ 38

  4. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging history Ulogd days Netfilter introduces ULOG target iptables -A INPUT -p tcp -j ULOG --ulog-prefix "bad packet" Communication via a netlink socket Special type of socket used for kernel userspace bidirectionnal communication Ulogd, a logging daemon Syslog and file output SQL output: PGSQL, MySQL, SQLite Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 4/ 38

  5. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging history Linux 2.6.14: Netfilter userspace reloaded Netfilter introduces NFnetlink Rewrote userspace interaction For logging, queueing and connection tracking Multiple communication on a single netlink socket Three new libraries libnetfilter_queue: userspace decision libnetfilter_log: logging libnetfilter_conntrack: connection tracking handling Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 5/ 38

  6. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging history Ulogd2: an ulogd generalisation Interact with the new libraries Rewrite of ulogd libnetfilter_log Packet logging IPv6 ready Few structural modification libnetfilter_conntrack Connection tracking logging Accounting, logging Completely new Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 6/ 38

  7. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Introduction 1 Connection tracking 2 Ulogd2 Architecture 3 Using Ulogd2 4 Conclusion 5 Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 7/ 38

  8. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about connection tracking Stateful filtering Original IP packet filter: Filter only on IP header fields Have no idea of the packet history Stateful filtering is: follow the history of connection Is packet part of an existing connection ? Is packet correct relatively to the protocol ? to determine the validity of a packet Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 8/ 38

  9. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about connection tracking Netfilter connection tracking Netfilter maintains a connection table Valid for "all" protocols For flow-oriented protocol: TCP , SCTP For protocol without state: UDP Support both IPv4 and IPv6 Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 9/ 38

  10. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about connection tracking Network Address Translation Private Network can’t go to internet Firewall has to modify packet to show its address Two way of seeing a connection From inside From outside Conntrack keep track of the correspondance tcp 6 431996 ESTABLISHED src=192.168.1.131 dst=91.121.73.151 sport=52964 dport=22\ packets=13 bytes=772 src=91.121.73.151 dst=192.168.1.131 sport=22 dport=52964 \ packets=11 bytes=7548 [ASSURED] mark=0 secmark=0 use=1 \ Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 10/ 38

  11. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about connection tracking libnetfilter_conntrack: Connection tracking handling library Interrogation: Connections listing Retrieve information about a connection IP information Accounting statistics Modification: Create new entry Change or fix timeout Change mark Destruction Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 11/ 38

  12. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Some words about connection tracking Connection tracking events Send all significative connection related events to userspace : NEW: connection creation ESTABLISHED: Switch from NEW to ESTABLISHED connection DESTROY: connection destruction Make possible to maintain a connection history in userspace Accounting information NAT decision history Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 12/ 38

  13. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging Ulogd2, a modular daemon Able to use multiple entries Support for packet logging Support for flow logging And multiple output Text based DB based Plugin based architecture Entry Output Filters Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 13/ 38

  14. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging Ulogd2, schema of architecture Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 14/ 38

  15. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging Packet logging Compatible with old kernel IPv4 support: ULOG NFLOG IPv6 support: NFLOG only Hardware information: Network interfaces Hardware header Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 15/ 38

  16. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion Netfilter logging Connection tracking event logging libnetfilter_conntrack based IPv4 and IPv6 Listen to events Contains the two IP tuples Orig IP header Reply IP header Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 16/ 38

  17. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output The stack concept Workflow based configuration: stack Choose an input Describe treatment and transformation to apply Choose an output Based on key value propagation trough the stack stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU stack=ct1:NFCT,mark1:MARK,ip2str1:IP2STR,pgsql2:PGSQL Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 17/ 38

  18. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output The stack concept: plugin Each plugin has : Input keys Output keys Plugin structure # /opt/ulogd2/sbin/ulogd --info /opt/ulogd2/lib/ulogd/ulogd_filter_IP2STR.so Name: IP2STR Input keys: Key: oob.family (unsigned int 8) Key: oob.protocol (unsigned int 16) Key: ip.saddr (IP addr) Key: ip.daddr (IP addr) [...] Output keys: Key: ip.saddr.str (string) Key: ip.daddr.str (string) [...] Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 18/ 38

  19. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output Ulogd2, the stack concept Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 19/ 38

  20. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output Ulogd2, the stack concept Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 20/ 38

  21. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output Various output plugin File-based Syslog File PCAP Databases PGSQL MySQL Sqlite (TODO) Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 21/ 38

  22. Introduction Contents Connection tracking Ulogd2 Architecture Using Ulogd2 Conclusion From input to output Treatment and filtering Treatment plugins: Decoding plugins: BASE, IFINDEX Conversion plugins: IP2STR, IP2BIN, MAC2STR Filtering: Decide if treatment has to be continued MARK plugin: stop propagation through stack if there is no match on mark Multiplexing: Reusing INPUT data Multiple logging Eric Leblond INL 172 rue de Charonne 75011 Paris, France Ulogd2, Netfilter logging reloaded 22/ 38

Recommend

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall

Sophos XG Firewall IP Partners ICT Systems & Services www.ippartners.gr XG Firewall Overview Todays top firewall problems What IT managers say about their existing firewall Firewall Satisfaction Survey (Spiceworks 2017) Top

548 views • 52 slides
Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation

Firewall and IDS/IPS What is a firewall? firewall = wall to protect against fire propagation controlled connection between networks at different security levels = boundary protection ( L1 > L2 ) network at network at security

1.07k views • 67 slides
DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING

DATABASE SYSTEM IMPLEMENTATION GT 4420/6422 // SPRING 2019 // @JOY_ARULRAJ LECTURE #5: LOGGING AND RECOVERY PROTOCOLS 2 TODAYS AGENDA Logging Schemes Crash Course on ARIES protocol Physical Logging Logical Logging 3 LOGGING &

1.64k views • 125 slides
ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview

ALMA Common Software Basic Track Logging and Error Systems Logging system conceptual overview Logging system The logging system provide status and diagnostic information historical archive filtering capabilities by

305 views • 11 slides
Debugging & Logging Java Logging Java has built-in support for logging Logs contain

Debugging & Logging Java Logging Java has built-in support for logging Logs contain

Debugging & Logging Java Logging Java has built-in support for logging Logs contain messages that provide information to Software developers (e.g., debugging) System administrators Customer support agents Programs send

254 views • 10 slides
Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts

Firewalls in FreeBSD and OpenBSD What is firewall? firewall is a method of protecting hosts and networks connected to other hosts and networks against attacks from the outside and from the inside. a firewall is a network security system

440 views • 30 slides
NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010 Who's that guy ? Eric Leblond CTO EdenWall Technologies NuFW project leader Netfilter developper Ulogd2 maintener Regit

1.06k views • 24 slides
Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches -

Samson Logging Tires Logging Tire Size Definition 24.5-32/16 24.5 = section width in inches - = bias carcass construction 32 = rim diameter in inches 16 = load range Samson Logging Tire TUBE TYPE SERVICE TUBE MAX SPEED 20 TYPE TIRE

241 views • 8 slides
Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business,

Logging and Recovery Module 6, Lectures 3 and 4 If you are going to be in the logging business, one of the things that you have to do is to learn about heavy equipment. Robert VanNatta, Logging History of Columbia County Database Management

535 views • 26 slides
Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why

Logging with ASP.NET Core Damien Bowden Microsoft MVP https://damienbod.com @damien_bod Why Logging? explain logging in ASP.NET Core & .NET Core how to add third party loggers What Microsoft provides Abstraction layer for logging in

573 views • 17 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides
Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly

Lane ESD Technology Services Core Firewall Overview Districts Behind Firewall Blachly Creswell Crow-Applegate-Lorane Fern Ridge Junction City Lowell Mapleton Screened, but exempt from policies Marcola

539 views • 15 slides
Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3

Firewall vs. Scrambling 2 1 Review of Firewall argument Review of Hayden-Preskill 4 3 State-independent interior operators Interior operator from HP recovery 6 5 Resolution of the puzzle Effect of infalling observer 7 Discussions Beni

1.61k views • 106 slides
Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs.

Overview Firewall Security Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Chapter 8 Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security Devices Routers

291 views • 7 slides
Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between

Palo Alto Firewall What are next generation firewalls and how do they operate? Difference between NGFW and classic firewalls: Classic Firewall Next Generation Firewall Traffic filtering using Port, IP, and protocol Supported Supported VPN

1.23k views • 26 slides
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A

FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Michael Lin All about firewalls A firewall is only as good as its configuration Big deal, it should be easy to configure a firewall, right? Basically... no. A Quantitative

507 views • 14 slides
dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
Web Development Web eb developm elopment ent (at t a 10k k level) el) Typical web

Web Development Web eb developm elopment ent (at t a 10k k level) el) Typical web

Web Development Web eb developm elopment ent (at t a 10k k level) el) Typical web application components Programming language Framework Template system Rendering approaches Portland State University CS 430P/530 Internet,

1.17k views • 72 slides
Introduction to XML Patryk Czarnik XML and Applications 2015/2016 Lecture 1 29.02.2016 T

Introduction to XML Patryk Czarnik XML and Applications 2015/2016 Lecture 1 29.02.2016 T

Introduction to XML Patryk Czarnik XML and Applications 2015/2016 Lecture 1 29.02.2016 T ext markup roots The term markup origins from hints in manuscript to be printed in press. And she went on planning to herself how she would

681 views • 33 slides
Informatics 1: Data & Analysis Lecture 9: Trees and XML Ian Stark School of Informatics The

Informatics 1: Data & Analysis Lecture 9: Trees and XML Ian Stark School of Informatics The

Informatics 1: Data & Analysis Lecture 9: Trees and XML Ian Stark School of Informatics The University of Edinburgh Tuesday 12 February 2013 Semester 2 Week 5 N I V E U R S E I H T T Y O H F G R E

584 views • 22 slides
Compsci 201 201 More o e on T Trees es a and d Compu puter er S Scien ence Par art 1

Compsci 201 201 More o e on T Trees es a and d Compu puter er S Scien ence Par art 1

Compsci 201 201 More o e on T Trees es a and d Compu puter er S Scien ence Par art 1 1 of of 4 Susan Rodger April 22, 2020 4/22/2020 Compsci 201, Spring 2020 1 X Y Z is for XOR (A || B) && !(A && B)

1.03k views • 77 slides
Logging with Log4j and log aggregation with Apache flume By Arivoli.K,MDS201903 Naveen Kumar

Logging with Log4j and log aggregation with Apache flume By Arivoli.K,MDS201903 Naveen Kumar

Logging with Log4j and log aggregation with Apache flume By Arivoli.K,MDS201903 Naveen Kumar Reddy,MDS201909 Saager Babu NG,MDS201917 Suman Polley,MDS201935 Avinash Kumar, MDS201907 Why Logging is necessary? Here comes log4j Overview

1.01k views • 58 slides
meet #HOMER @ F O S D E M 2 0 1 6 Written by: Alexandr Dubovikov, Lorenzo Mangani HOMER

meet #HOMER @ F O S D E M 2 0 1 6 Written by: Alexandr Dubovikov, Lorenzo Mangani HOMER

ESPRESSO EDITION meet #HOMER @ F O S D E M 2 0 1 6 Written by: Alexandr Dubovikov, Lorenzo Mangani HOMER Development Team http://sipcapture.org Sponsored by QXIP BV - http://qxip.net ABOUT US Quick Introduction to QXIP and SIPCAPTURE QXIP

416 views • 15 slides
Linux Tools 0.6 Release Review Planned Review Date: 2010-06-23 Communication Channel:

Linux Tools 0.6 Release Review Planned Review Date: 2010-06-23 Communication Channel:

file:///Users/anne/Desktop/LinuxTools0.6ReleaseReview.html Linux Tools 0.6 Release Review Planned Review Date: 2010-06-23 Communication Channel: linuxtools-dev@eclipse.org (https://dev.eclipse.org/mailman/listinfo /linuxtools-dev) Author:

94 views • 5 slides

More recommend