New signature: unrelated traffic from iptables

Create issue
Issue #122 open
Rune Juhl Jacobsen created an issue

Hi,

I couldn’t find anything in the issue tracker or any notes in the source – hope that I haven’t missed anything.

I was wondering how you’d go about manually adding an IP to the list of offenders. In my case I have a log rule in the INPUT chain before a drop all rule in iptables, and I’d like to add the IPs that get logged to the list of offenders. It could be something as simple as tailing the log file, extracting IPs and calling something like sshguard --add-offender 1.2.3.4. Is this something that is possible with sshguard?

I imagine a better way to go about it would be to add an attack parser for iptables logs; is this correct?

Thanks in advance!
/Rune

Comments (9)

  1. Kevin Zheng

    You didn’t miss anything; currently, you can’t add offenders to a running SSHGuard. I was working on something that would let you do this, but there wasn’t a lot of interest before.

    Yes, if you want to scan iptables logs, you’d write an attack parser for iptables logs. What do they look like?

  2. Rune Juhl Jacobsen reporter

    My, you’re fast 🙂

    There’s support for a --log-prefix in iptables that will prepend a string to the logs. With --log-prefix='998_block_unrelated_traffic ' (note the trailing space) a log entry will look something like this for TCP traffic:

    Dec 03 18:57:32 some.host.example.org kernel: 998_block_unrelated_traffic IN=br0 OUT= PHYSIN=enp5s0f0 MAC=aa:bb:cc:dd:dc:12:00:10:db:ff:cc:dd:ee:ff SRC=1.2.3.4 DST=8.7.6.5 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44949 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0 
    

    I figure --log-prefix could be used to easily filter log entries that you’d want to be picked up by SSHGuard.

  3. Kevin Zheng

    It’s easy to find me during the day 🙂

    That looks pretty simple to add as a signature, especially with the ‘--log-prefix’. I wouldn’t enable this rule by default, but it would be something configurable, once we figure out how to do that (see #80, #105).

    It would be more straightforward to add it as a signature, than to add addresses to a running SSHGuard. If you’d like, I can help take a look at adding this rule for you in a little bit.

  4. Rune Juhl Jacobsen reporter

    Yes, I figured that adding a signature would be easier; though I imagine having the ability to add addresses ad hoc would open up for a lot of possibilities. At the very least it’d make it possible to easily add a new filter without having to be proficient in yacc 🙂

    I’d love to take a stab at adding a signature, so I think I’ll try to find some time for doing that, and I might just take you up on the offer to help.

  5. Kevin Zheng

    Until I get a chance to take a look, the files you’ll want to change are src/parser/attack_scanner.l and src/parser/attack_parser.y. You’ll add tokens for strings you want to match at the top of attack_parser.y, add regexp for those tokens in attack_scanner.l, and then hook into grammar rules for your attack (e.g. “TOKEN1 addr TOKEN2”) in the msg_single grammar rule in attack_parser.y.

  6. Rune Juhl Jacobsen reporter

    Thank you for the pointers – it’s been quite a while since I’ve toyed with lex and yacc, so it’s much appreciated. I don’t think I’ll be able to find some time for it in the coming weeks, not with Christmas and holidays coming up, but I’ll give it a try.

  7. Log in to comment