FIREWALL LOG DAEMON for LINUX firelogd DISCLAIMER: This software is offered for free and without restrictions of any sort except that you agree not to hold me responsible if it does something you don't like. If that does happen I would appreciate hearing about it. THIS IS NOT A FIREWALL! It will not increase the security of your machines except that it makes it easy to review your log data and/or respond to it. It will not affect your existing log setup. DESCRIPTION: This is a program that will parse ipchains or netfilter (iptables) log data in real time. It will queue up a small batch of alerts and mail them to you. It can also be used to parse an existing log file and it will take log data on standard input for formatting. FEATURES: It features host name resolution and port/protocol lookups as well as icmp code/type data. It was designed to be run as a daemon process, but you can use it to output data to a terminal or to turn a logfile into something readable. Output preprocessor templates can be written to format the data any way you like. Some examples are given. HOW DOES IT WORK? Firelogd reads a FIFO (first in, first out) file that is written by syslog. Syslog writes to the pipe and firelogd is there to parse the log entry into human readable format. It will save a (BUFFERSIZE) number of log alerts and mail them to you when the threshold is reached. This will not change anything about your current log setup, but it will make it easier to review and respond to security threats. If nothing else, you will end up *actually reading* your firewall log entries. TABLES AND CHAINS TOGETHER: Firelogd does not care what kind of log data it is given. It will figure it out as soon as a log line matces an internal regular expression. Once a line matches for iptables or ipchains log data, it will stop trying to match the other. If you are in a mixed logging environment (running a log server or testing both chain and table configurations) you can use the "-m" option to cause the program to keep trying to match both types of data. This imposes a performance penalty, so don't use it unless you need it. INSTALLATION: Read the file QUICKSTART for information on building and installing firelogd. The sources should build on any system with a compiler and semi-recent libs. BUILD TARGETS: make easy setup, make, install, start program make build the executable make install copy it to /usr/sbin/ make setup create a fifo in /var/log, add it to syslog POST INSTALLATION Read the documentation. Good for you! You already knew that. You will need to add the program to your startup scripts if you want it to continue working for you after a reboot. The easiest way to do this is to add a line to /etc/rc.d/rc.local that will run the program after startup. SECURITY NOTE This program has been carefully tested in an attempt to find weaknesses, and kernel data comes from your kernel not the net. Nevertheless, you should be aware that ANY program could have holes in it, including the kernel. This program can be run as a user other than root, just modify the file permissions. RUNNING THE PROGRAM: If you run the program without options it will open the default file (FIFO) and block (wait) until there is log data sent by syslog. You can start this in a terminal and watch as log data comes in. It will print to the screen. Eventually you will want to stop watching the screen...CTRL-C will stop it. Be aware that because firelogd will attempt to resolve all IP addresses, you may see some delay in the output. This is normally only a problem if your DNS system is not set up properly. Even if DNS is working properly, some queries will have to time out. Start the program with the "-d" flag and it will go away and watch your FIFO for log data. When the default number of log entries is reached, it will send you email with the formatted log data. The default email address is "root" which will get sent to the local machine. You can specify an email address by using the "-e" option. Examples: -e myaddr@other.host.net -eian The default number of log entries before mailing is 10. You can change it by using the "-b" option. If you want to crunch an existing log file you can specify the file by using the "-l" option. This will also work on a FIFO. Example: (if daemon is not already running) firelogd -l /var/log/messages > ~/badguys.log -or- (if daemon is already running) firelogd - < /var/log/messages > ~/firewall_hits The default log source is /var/log/kernelpipe You can alter the output format by using an output preprocessor template (See below). The default location for templates is /etc/firelog.conf. If there is no template file there or on the command line, the internal default output format will result. EXTENDED PORT/SERVICES AND ICMP LOOKUP If you used "make install" you will find three new files in your /etc directory. The file /etc/firelog.conf is for output templates. The file iana-icmp-numbers is for icmp type/code lookup. The file /etc/iana-port-numbers is used for port and service lookups (you can disable this via the command line with -s). You can replace this file with any file in the "services" format. For example, if you have nmap, you can use nmap-services to get information on ports that are known to be trojans/backdoors. PROGRAM OPTIONS There are several recognized options to the program: -d will cause it to become a daemon process with the default mailbuffer size (10) and the default email address (root) -b will set the size of the mailbuffer, this implies -d example: "firelogd -b50" or "firelogd -b 4" -k will kill a running firelogd - will read from stdin and parse log data example: "cat /var/log/kernel | firelogd -" -l specify the log file to parse or the FIFO to watch The default is /var/log/kernelpipe -m "mixed" logs, tables and chains log data in one stream -s disable the use of 'extended' port/service lookups and use the system services file (getservbyport) -t