Table of Contents
Lire supports logs from many packet filters firewalls.
Cisco routers that use IOS™ can log activity via syslog. Lire is able to process the logs entries corresponding to the packet filters.
Example 9.1. IOS Log Sample
Aug 19 04:02:34 1.example.com.nl 218963: Aug 19 04:02:32.977: \ %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed \ state to down Aug 19 04:02:34 1.example.com.nl 218964: Aug 19 04:02:33.262: \ %ISDN-6-DISCONNECT: Interface BRI0:1 disconnected from \ 172605440 teraar, call lasted 42 seconds Aug 19 04:02:35 1.example.com.nl 218965: Aug 19 04:02:33.266: \ %LINK-3-UPDOWN: Interface BRI0:1, changed state to down Aug 19 04:02:38 1.example.com.nl 218966: Aug 19 04:02:36.103: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.1(4652) -> \ 10.0.0.2(80), 1 packet Aug 19 04:02:45 1.example.com.nl 218967: Aug 19 04:02:43.543: \ %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 86 changed to down Aug 19 04:02:53 1.example.com.nl 218968: Aug 19 04:02:51.471: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.3(2162) -> \ 10.0.0.4(80), 1 packet Aug 19 04:03:06 1.example.com.nl 218969: Aug 19 04:03:04.585: \ %ISDN-6-LAYER2DOWN: Layer 2 for Interface BRI0, TEI 86 changed to down Aug 19 04:03:10 1.example.com.nl 218970: Aug 19 04:03:08.867: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.5(2342) -> \ 10.0.0.6(80), 1 packet Aug 19 04:03:12 1.example.com.nl 218971: Aug 19 04:03:10.771: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.7(1093) -> \ 10.0.0.8(80), 1 packet Aug 19 04:03:36 1.example.com.nl 218972: Aug 19 04:03:34.373: \ %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.0.9(3173) -> \ 10.0.0.10(80), 1 packet
IPChains will log through syslog (actually the kernel log buffer which is usually sent to syslog) packets marked for logging. Lire expects the logs in the form of a syslog log file.
Example 9.2. IPChains Log Sample
Oct 28 04:02:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=36930 F=0x0000 T=64 (#7) Oct 28 04:07:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37211 F=0x0000 T=64 (#7) Oct 28 04:07:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=256 S=0x00 I=37213 F=0x0000 T=64 (#7) Oct 28 04:07:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=236 S=0x00 I=37214 F=0x0000 T=64 (#7) Oct 28 04:08:20 firewall kernel: Packet log: output DENY lo PROTO=17 \ 10.0.0.5:138 10.0.0.2:138 L=256 S=0x00 I=37216 F=0x0000 T=64 (#7) Oct 28 04:12:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37255 F=0x0000 T=64 (#7) Oct 28 04:17:30 firewall kernel: Packet log: output DENY eth0 PROTO=17 \ 10.0.0.1:137 10.0.0.2:137 L=78 S=0x00 I=37364 F=0x0000 T=64 (#7) Oct 28 04:19:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=256 S=0x00 I=37440 F=0x0000 T=64 (#7) Oct 28 04:19:40 firewall kernel: Packet log: input DENY eth1 PROTO=17 \ 10.0.0.3:138 10.0.0.4:138 L=236 S=0x00 I=37441 F=0x0000 T=64 (#7) Oct 28 04:20:20 firewall kernel: Packet log: output DENY lo PROTO=17 \ 10.0.0.5:138 10.0.0.2:138 L=256 S=0x00 I=37453 F=0x0000 T=64 (#7)
IP Filter logs selected packets through syslog.
Example 9.3. IP Filter Log Sample
Oct 30 07:42:29 firewall ipmon[16747]: 07:42:28.585962 ie0 @0:9 \ b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT Oct 30 07:40:24 firewall ipmon[16747]: 07:40:23.631307 ep1 @0:6 \ b 192.168.26.5,113 -> 192.168.26.1,3717 PR tcp len 20 40 -AR OUT Oct 30 07:42:29 firewall ipmon[16747]: 07:42:28.585962 ie0 @0:9 \ b 192.168.48.1,45085 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT Oct 30 07:44:11 firewall ipmon[16747]: 07:44:10.605416 2x ep1 @0:15 \ b 192.168.26.1,138 -> 192.168.26.255,138 PR udp len 20 257 IN Oct 30 07:44:34 firewall ipmon[16747]: 07:44:33.891869 ie0 @0:10 \ b 192.168.48.1,23406 -> 192.168.48.2,22 PR tcp len 20 64 -S OUT
IPTables will log through syslog (actually the kernel log buffer which is usually sent to syslog) packets marked for logging. Lire expects the logs in the form of a syslog log file.
A problem with logs from IPTables is that we have no real idea of what happened with the packet (was it denied or permitted). The logging module of IPtables permit to tag each logged packet with a prefix. Lire will interpret packets having a prefix which contains the strings denied, drop, deny or reject as denied packets. All other packets will have an unknown action value (-).
Example 9.4. IPTables Log Sample
Sep 21 11:45:17 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38365 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:45:20 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38478 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:45:26 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=38680 DF \ PROTO=TCP SPT=3117 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:46 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54122 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:49 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54222 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 21 11:52:55 lire kernel: Packet-drop IN=eth0 OUT=eth0 SRC=10.0.0.1 \ DST=10.0.0.3 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=54443 DF \ PROTO=TCP SPT=4532 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
The WELF format is a format developed by WebTrends and supported by many firewall vendors. Products can save log files in that format directly or can log through syslog. Lire either native WELF log file or syslog's log files contains WELF information. Altough that log format isn't designed for packet filter firewall (it can contains information from devices that does network intrusion or proxy services), Lire does it best to map this information to something that can be meaningful.
Example 9.5. WELF Log Sample
WTsyslog[1998-08-01 14:05:46 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 04:10:23" fw=WebTrendsSample pri=5 \ msg="ICMP packet dropped" src=10.0.0.2 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:31:00 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:35:38" fw=WebTrendsSample pri=6 \ proto=tcp/443 src=10.0.0.4 dst=10.0.0.5 rcvd=4844 WTsyslog[1998-08-01 16:31:01 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:35:38" fw=WebTrendsSample pri=6 proto=tcp/443 \ src=10.0.0.4 dst=10.0.0.5 rcvd=6601 WTsyslog[1998-08-01 16:43:59 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:48:36" fw=WebTrendsSample pri=5 \ msg="UDP packet dropped" src=10.0.0.6 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:46:13 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:50:50" fw=WebTrendsSample pri=5 \ msg="UDP packet dropped" src=10.0.0.7 dst=10.0.0.3 rule=3 WTsyslog[1998-08-01 16:46:13 ip=10.0.0.1 pri=6] id=firewall \ time="1998-08-01 10:50:50" fw=WebTrendsSample pri=6 proto=telnet \ src=10.0.0.4 dst=10.0.0.8 sent=1194
Lire also supports some extension uses by SonicWall.
Example 9.6. SonicWall Log Sample
Jan 7 15:01:10 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:42:13" fw=10.0.0.1 pri=6 c=1 m=30 \ msg="Administrator login failed - incorrect password" n=1 \ src=10.0.0.2:LAN dst=10.0.0.1 Jan 7 15:01:16 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:42:19" fw=10.0.0.1 pri=6 c=1 m=29 \ msg="Successful administrator login" n=1 src=10.0.0.2:LAN dst=10.0.0.1 Jan 7 15:02:32 lire id=firewall sn=asdlFFFXSD \ time="2002-01-06 22:43:34" fw=10.0.0.1 pri=5 c=128 m=37 \ msg="UDP packet dropped" n=1 src=10.0.0.3:68 dst=10.0.0.4:67 dstname=DHCP Jan 7 15:31:43 lire id=firewall time="2002-01-07 15:20:21" \ fw=10.0.0.5 pri=6 proto=dns src=10.0.0.6 dst=10.0.0.8 rcvd=130 \ sn=asdlFFFXSD 54 c=1024 m=98 n=31 Jan 7 15:31:43 10.0.0.5 id=firewall time="2002-01-07 15:20:21" \ fw=10.0.0.5 pri=6 proto=dns src=10.0.0.6 dst=10.0.0.9 rcvd=130 \ sn=asdlFFFXSD 54 c=1024 m=98 n=32