4797255 2000-02-14 20:01 /153 rader/ Postmaster
Mottagare: Bugtraq (import) <9759>
Ärende: Packet Tracing (linux klog patch)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Content-Type: text/plain
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <0002121952193T.02552@smp>
Date: Sat, 12 Feb 2000 16:34:27 -0800
Reply-To: Dragos Ruiu <dr@DURSEC.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Dragos Ruiu <dr@DURSEC.COM>
Organization: kyx.net
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
One of the problems that people have is logging the origin of the
attack streams and tracing packet paths through the networks. Here is
a small bit of code that may help you inexpensively deploy some
packet loggers at key network ingress/egress points. The real
solution is to get Dragon or NFR or some other really kick ass IDS
sensor stuff. But for those ISPs on a budget, that just want to build
a quick and dirty forensic logger to track down or follow the path to
the origin of attacks, here is a Linux kernel patch that turns any
Linux system into an ethernet logger that records mac address, ip
address, ports and protocols with a timestamp in the system log.
It can be activated and deactivated at the system console with two
keystrokes, see build instructions below. It's from a tool set of an
article I was working on, but it seemed relevant so I'll release it
in advance. It started life as a project to build a sniffer small
enough to type from memory. It's simple enough that you should be
able to tweak the output format to suit your own tastes. It is
intended to be small and light so as to lose as few packets as
possible.
One nice application is to build a very stripped down Linux system
and turn it on to log packets using a simple low cost pc or rack
server. Depending on your traffic rate and your disk size you may be
able to store a pretty good time window of traffic. If it's not
enough... time for a commercial product with fancy data structures
and compression. :-) We'll be covering stuff like this during our
training at CanSecWest (plug, plug :-).
P.S. I have a message for all the silly bad ass ddos bozos:
If this is for fun... you'll probably have less fun in the
long run by being detrimental to others.
comments, feedback, enhancements welcome...
--dr
kyx.net
Learn Kanga-Foo - www.dursec.com
this is a patch for /usr/src/linux/net/ethernet/eth.c:
--kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx--
***************
*** 182,196 ****
--- 184,295 ----
unsigned char *rawp;
skb->mac.raw=skb->data;
+
+ /*Linux Kernel Forensic Logger --dr@dursec.com*/
+ eth = skb->mac.ethernet;
+ if( *((u16*)((u8*)skb->data+12)) == 0x0608 )
+ {
+ printk(">>ARP<< ");
+ if(*((u16*)((u8*)skb->data+20)) == 0x0100)
+ printk("req ");
+ else if(*((u16*)((u8*)skb->data+20)) == 0x0200)
+ printk("REP");
+ printk("T:%03d.%03d.%03d.%03d:%02x%02x%02x%02x%02x%02x S:%03d.%03d.%03d.%03d:%02x%02x%02x%02x%02x%02x\n",
+ *((u8*)skb->data+38), *((u8*)skb->data+39), *((u8*)skb->data+40),
+ *((u8*)skb->data+41), *((u8*)skb->data+32), *((u8*)skb->data+33),
+ *((u8*)skb->data+34), *((u8*)skb->data+35), *((u8*)skb->data+36),
+ *((u8*)skb->data+37), *((u8*)skb->data+28), *((u8*)skb->data+29),
+ *((u8*)skb->data+30), *((u8*)skb->data+31), *((u8*)skb->data+22),
+ *((u8*)skb->data+23), *((u8*)skb->data+24), *((u8*)skb->data+25),
+ *((u8*)skb->data+26), *((u8*)skb->data+27));
+ }
+ else if( *((u16*)((u8*)skb->data+12)) == 0x0008 )
+ {
+ printk(">>IP<< ");
+ switch(*((u8*)skb->data+23))
+ {
+ case 1: printk("ICMP%d ", ((u8*)skb->data+34));
+ break;
+ case 2: printk("IGMP ");
+ break;
+ case 0x11: printk("UDP ");
+ }
+ if (*((u16*)((u8*)skb->data+34)) == 0x4300 ||
+ *((u16*)((u8*)skb->data+36)) == 0x4400)
+ {
+ printk("DHCP ");
+ if(*((u8*)skb->data+42) == 1)
+ printk("req ");
+ else if(*((u8*)skb->data+42) == 2)
+ printk("REP ");
+ else printk("invalid ");
+ }
+ else if(*((u16*)((u8*)skb->data+34)) == 0x3500 ||
+ *((u16*)((u8*)skb->data+36)) == 0x3500)
+ printk("DNS ");
+ printk("s:%03d.%03d.%03d.%03d:%d d:%03d.%03d.%03d.%03d:%d %d bytes hl:%02x iplen:%04x ttl:%u\n",
+ *((u8*)skb->data+30), *((u8*)skb->data+31), *((u8*)skb->data+32),
+ *((u8*)skb->data+33), *((u8*)skb->data+37) + (*((u8*)skb->data+36) << 8),
+ *((u8*)skb->data+26), *((u8*)skb->data+27), *((u8*)skb->data+28),
+ *((u8*)skb->data+29), *((u8*)skb->data+35) + (*((u8*)skb->data+34) << 8),
+ skb->len, *((u8*)skb->data+14), *((u8*)skb->data+17) + (*((u8*)skb->data+16) << 8),
+ *((u8*)skb->data+22));
+ }
+ if(*eth->h_dest&1)
+ printk("BCAST-ETH ");
+ if (*(unsigned short *)((u8*)skb->data+12) == 0xFFFF)
+ printk("IPX ");
+ printk("-- MAC:");
+ for(rawp = skb->mac.raw; rawp - skb->mac.raw < 12; rawp++)
+ {
+ printk("%02x",((u8*)eth->h_source)[rawp - skb->mac.raw]);
+ if (rawp - skb->mac.raw == 5) printk(":");
+ }
+ printk("\n");
+ /*eoklog --dr*/
skb_pull(skb,dev->hard_header_len);
eth= skb->mac.ethernet;
--kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx--
Klog INSTRUCTIONS:
To use this logger, patch /usr/src/linux/net/ethernet/eth.c, and
rebuild your kernel. (It's recommended that you enable the Magic
SysRq key code.) It's been used under lots of different kernel
versions with success....
How to use it:
-This patch makes the kernel log all ethernet packets to syslog.
-The logging happens at the default level. I.e. normally on.
-You can turn logging on and off at the console by using the Magic
SysRq key
and a number to change the logging level.
-Put the interface into promiscuous mode: ifconfig eth0 promisc
Notes:
-It makes a neat hotkey sniffer when using the text console too.
-It seems to run pretty fast. Any benchmark data
welcome(-->dr@dursec.com).
-try a tail -f /var/log/messages for real time display
cheers,
--dr
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver
Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max
Vision/whitehats.com
(4797255) ------------------------------------------(Ombruten)
4802086 2000-02-15 22:24 /277 rader/ Postmaster
Mottagare: Bugtraq (import) <9786>
Ärende: Packet filter logging: MAC & TCP flags
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BugTraq@securityfocus.com
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Message-ID: <38A91674.4D445C4D@rz.rwth-aachen.de>
Date: Tue, 15 Feb 2000 10:03:48 +0100
Reply-To: Jens Hektor <hektor@RZ.RWTH-AACHEN.DE>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Jens Hektor <hektor@RZ.RWTH-AACHEN.DE>
X-To: BugTraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
as a response to Dragos Ruiu's posting the following might
be of interest to some of you.
In the need for more detailed information recorded by the
linux kernel v2.2 packet filtering facility I developed
a patch that shows MAC adress and TCP flags for every packet
that is marked for logging in the chain-rules.
Maybe this is a more convenient solution for those who use
linux boxes as packet filters.
This patch is essentially a backport from the linux kernel v2.3
ipfilter package. It has been sent to R.Russel for approval and
maybe it finds the way into stock 2.2.
Bye, Jens Hektor
-------------- cut here -----------------
*** linux-2.2.14/net/ipv4/ip_fw.c.orig Wed Feb 2 08:05:48 2000
--- linux-2.2.14/net/ipv4/ip_fw.c Wed Feb 2 08:29:09 2000
***************
*** 411,417 ****
__u16 src_port,
__u16 dst_port,
unsigned int count,
! int syn)
{
__u32 *opt = (__u32 *) (ip + 1);
int opti;
--- 411,418 ----
__u16 src_port,
__u16 dst_port,
unsigned int count,
! int syn,
! unsigned char *machdr)
{
__u32 *opt = (__u32 *) (ip + 1);
int opti;
***************
*** 443,449 ****
for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4);
opti++)
printk(" O=0x%8.8X", *opt++);
! printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
}
/* function for checking chain labels for user space. */
--- 444,476 ----
for (opti = 0; opti < (ip->ihl - sizeof(struct iphdr) / 4);
opti++)
printk(" O=0x%8.8X", *opt++);
! printk(" %s(#%d)", syn ? "SYN " : /* "PENANCE" */ "", count);
!
! /* This code added to get a more detailed information about
! * portscanners */
! if (ip->protocol == IPPROTO_TCP
! && !(ip->frag_off & __constant_htons(IP_OFFSET))) {
! struct tcphdr *tcp = (struct tcphdr *)((__u32 *)ip + ip->ihl);
! printk(" FLAGS:%c%c%c%c%c%c",
! tcp->urg ? 'U' : '-',
! tcp->ack ? 'A' : '-',
! tcp->psh ? 'P' : '-',
! tcp->rst ? 'R' : '-',
! tcp->syn ? 'S' : '-',
! tcp->fin ? 'F' : '-');
! }
!
! if (machdr) {
! /* We don't need to be efficient. */
! struct device *dev = dev_get(ifname);
!
! if (dev) {
! unsigned int i;
! for (i = 0; i < dev->hard_header_len; i++)
! printk("%c%02x", i ? ':' : ' ', machdr[i]);
! }
! }
! printk("\n");
}
/* function for checking chain labels for user space. */
***************
*** 541,552 ****
unsigned int slot,
__u16 src_port, __u16 dst_port,
unsigned int count,
! int tcpsyn)
{
f->counters[slot].bcnt+=ntohs(ip->tot_len);
f->counters[slot].pcnt++;
if (f->ipfw.fw_flg & IP_FW_F_PRN) {
! dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn);
}
ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor;
--- 568,581 ----
unsigned int slot,
__u16 src_port, __u16 dst_port,
unsigned int count,
! int tcpsyn,
! int validmac)
{
f->counters[slot].bcnt+=ntohs(ip->tot_len);
f->counters[slot].pcnt++;
if (f->ipfw.fw_flg & IP_FW_F_PRN) {
! dump_packet(ip,rif,f,label,src_port,dst_port,count,tcpsyn,
! validmac ? skb->mac.raw : NULL);
}
ip->tos = (ip->tos & f->ipfw.fw_tosand) ^ f->ipfw.fw_tosxor;
***************
*** 599,605 ****
struct ip_chain *chain,
struct sk_buff *skb,
unsigned int slot,
! int testing)
{
struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
struct udphdr *udp=(struct udphdr *)((__u32 *)ip+ip->ihl);
--- 628,635 ----
struct ip_chain *chain,
struct sk_buff *skb,
unsigned int slot,
! int testing,
! int validmac)
{
struct tcphdr *tcp=(struct tcphdr *)((__u32 *)ip+ip->ihl);
struct udphdr *udp=(struct udphdr *)((__u32 *)ip+ip->ihl);
***************
*** 632,638 ****
if (offset == 1 && ip->protocol == IPPROTO_TCP) {
if (!testing && net_ratelimit()) {
printk("Suspect TCP fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
}
return FW_BLOCK;
}
--- 662,669 ----
if (offset == 1 && ip->protocol == IPPROTO_TCP) {
if (!testing && net_ratelimit()) {
printk("Suspect TCP fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0,
! validmac ? skb->mac.raw : NULL);
}
return FW_BLOCK;
}
***************
*** 667,673 ****
if (offset && (ntohs(ip->frag_off) & IP_MF)) {
if (!testing && net_ratelimit()) {
printk("Suspect short first fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0);
}
return FW_BLOCK;
}
--- 698,705 ----
if (offset && (ntohs(ip->frag_off) & IP_MF)) {
if (!testing && net_ratelimit()) {
printk("Suspect short first fragment.\n");
! dump_packet(ip,rif,NULL,NULL,0,0,0,0,
! validmac ? skb->mac.raw : NULL);
}
return FW_BLOCK;
}
***************
*** 745,751 ****
&& !ip_fw_domatch(f, ip, rif, chain->label,
skb, slot,
src_port, dst_port,
! count, tcpsyn)) {
ret = FW_BLOCK;
goto out;
}
--- 777,784 ----
&& !ip_fw_domatch(f, ip, rif, chain->label,
skb, slot,
src_port, dst_port,
! count, tcpsyn,
! validmac)) {
ret = FW_BLOCK;
goto out;
}
***************
*** 1357,1363 ****
else {
ret = ip_fw_check(ip,
new->fwt_packet.fwp_vianame,
NULL, chain,
! NULL, SLOT_NUMBER(), 1);
switch (ret) {
case FW_ACCEPT:
ret = 0; break;
--- 1390,1396 ----
else {
ret = ip_fw_check(ip,
new->fwt_packet.fwp_vianame,
NULL, chain,
! NULL, SLOT_NUMBER(), 1, 0);
switch (ret) {
case FW_ACCEPT:
ret = 0; break;
***************
*** 1698,1704 ****
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0);
}
int ipfw_output_check(struct firewall_ops *this, int pf, struct
device *dev,
--- 1731,1738 ----
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_INPUT_CHAIN, *pskb, SLOT_NUMBER(), 0,
! 1);
}
int ipfw_output_check(struct firewall_ops *this, int pf, struct device *dev,
***************
*** 1709,1722 ****
|| (*pskb)->len < sizeof(struct iphdr))
return FW_ACCEPT;
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0);
}
int ipfw_forward_check(struct firewall_ops *this, int pf, struct device *dev,
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0);
}
struct firewall_ops ipfw_ops=
--- 1743,1758 ----
|| (*pskb)->len < sizeof(struct iphdr))
return FW_ACCEPT;
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_OUTPUT_CHAIN, *pskb, SLOT_NUMBER(), 0,
! 0);
}
int ipfw_forward_check(struct firewall_ops *this, int pf, struct device *dev,
void *phdr, void *arg, struct sk_buff **pskb)
{
return ip_fw_check(phdr, dev->name,
! arg, IP_FW_FORWARD_CHAIN, *pskb, SLOT_NUMBER(), 0,
! 0);
}
struct firewall_ops ipfw_ops=
-------------- cut here -----------------
-- Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074
Aachen Computing Center Technical University Aachen,
firewalls/network security mailto:hektor@RZ.RWTH-Aachen.DE, Tel.: nur
TH 31376, Raum: 2.35 Private: Rochusstr. 26, D52062 Aachen, Fon: +49
241 29888, Fax: % 29889
(4802086) ------------------------------------------(Ombruten)
4807141 2000-02-17 08:24 /43 rader/ Postmaster
Mottagare: Bugtraq (import) <9813>
Ärende: Re: Packet Tracing (linux klog patch)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.20.0002152327130.61203-100000@mx.webgiro.com>
Date: Tue, 15 Feb 2000 23:32:08 +0100
Reply-To: Andrzej Bialecki <abial@WEBGIRO.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Andrzej Bialecki <abial@WEBGIRO.COM>
X-To: Dragos Ruiu <dr@DURSEC.COM>
X-cc: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <0002121952193T.02552@smp>
On Sat, 12 Feb 2000, Dragos Ruiu wrote:
> How to use it:
> -This patch makes the kernel log all ethernet packets to syslog.
> -The logging happens at the default level. I.e. normally on.
> -You can turn logging on and off at the console by using the Magic SysRq key
> and a number to change the logging level.
> -Put the interface into promiscuous mode: ifconfig eth0 promisc
>
> Notes:
> -It makes a neat hotkey sniffer when using the text console too.
> -It seems to run pretty fast. Any benchmark data welcome(-->dr@dursec.com).
> -try a tail -f /var/log/messages for real time display
I was wondering... Are you sure it doesn't overrun the kernel message
buffer? I noticed that sometimes, when you produce tons of messages
from within the kernel, some of them are lost.
I would rather use package as NeTraMet for doing this - it also does
very nice traffic compression in the form of flows - very fast,
extremely flexible, uses standard libpcap, doesn't require kernel
patching etc...
Andrzej Bialecki
// <abial@webgiro.com> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----
(4807141) ------------------------------------------(Ombruten)