New signature: unrelated traffic from iptables

Issue #122 open

Rune Juhl Jacobsen created an issue 2019-12-03

Hi,

I couldn’t find anything in the issue tracker or any notes in the source – hope that I haven’t missed anything.

I was wondering how you’d go about manually adding an IP to the list of offenders. In my case I have a log rule in the INPUT chain before a drop all rule in iptables, and I’d like to add the IPs that get logged to the list of offenders. It could be something as simple as tailing the log file, extracting IPs and calling something like sshguard --add-offender 1.2.3.4. Is this something that is possible with sshguard?

I imagine a better way to go about it would be to add an attack parser for iptables logs; is this correct?

Thanks in advance!
/Rune

Comments (9)

Kevin Zheng
You didn’t miss anything; currently, you can’t add offenders to a running SSHGuard. I was working on something that would let you do this, but there wasn’t a lot of interest before.

Yes, if you want to scan iptables logs, you’d write an attack parser for iptables logs. What do they look like?
- 2019-12-03T19:46:00+00:00
Rune Juhl Jacobsen reporter
My, you’re fast

There’s support for a --log-prefix in iptables that will prepend a string to the logs. With --log-prefix='998_block_unrelated_traffic ' (note the trailing space) a log entry will look something like this for TCP traffic:
```
Dec 03 18:57:32 some.host.example.org kernel: 998_block_unrelated_traffic IN=br0 OUT= PHYSIN=enp5s0f0 MAC=aa:bb:cc:dd:dc:12:00:10:db:ff:cc:dd:ee:ff SRC=1.2.3.4 DST=8.7.6.5 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=44949 DPT=3000 WINDOW=65535 RES=0x00 SYN URGP=0 
```
I figure --log-prefix could be used to easily filter log entries that you’d want to be picked up by SSHGuard.
- 2019-12-03T20:02:27+00:00
Kevin Zheng
It’s easy to find me during the day

That looks pretty simple to add as a signature, especially with the ‘--log-prefix’. I wouldn’t enable this rule by default, but it would be something configurable, once we figure out how to do that (see #80, #105).

It would be more straightforward to add it as a signature, than to add addresses to a running SSHGuard. If you’d like, I can help take a look at adding this rule for you in a little bit.

‌
- 2019-12-03T20:20:27+00:00
Rune Juhl Jacobsen reporter
Yes, I figured that adding a signature would be easier; though I imagine having the ability to add addresses ad hoc would open up for a lot of possibilities. At the very least it’d make it possible to easily add a new filter without having to be proficient in yacc

I’d love to take a stab at adding a signature, so I think I’ll try to find some time for doing that, and I might just take you up on the offer to help.

‌
- 2019-12-03T20:36:23+00:00
Kevin Zheng
Until I get a chance to take a look, the files you’ll want to change are src/parser/attack_scanner.l and src/parser/attack_parser.y. You’ll add tokens for strings you want to match at the top of attack_parser.y, add regexp for those tokens in attack_scanner.l, and then hook into grammar rules for your attack (e.g. “TOKEN1 addr TOKEN2”) in the msg_single grammar rule in attack_parser.y.
- 2019-12-03T20:40:01+00:00
Rune Juhl Jacobsen reporter
Thank you for the pointers – it’s been quite a while since I’ve toyed with lex and yacc, so it’s much appreciated. I don’t think I’ll be able to find some time for it in the coming weeks, not with Christmas and holidays coming up, but I’ll give it a try.
- 2019-12-03T20:45:20+00:00
Kevin Zheng
I’ve expanded these pointers a bit in https://bitbucket.org/sshguard/sshguard/src/master/CONTRIBUTING.rst#rst-header-add-new-signatures.
- 2019-12-03T21:11:09+00:00
Kevin Zheng
- changed title to New signature: unrelated traffic from iptables
- changed component to parser
- 2019-12-09T20:29:03+00:00
Kevin Zheng
- changed status to open
- 2019-12-09T20:29:10+00:00
Log in to comment

Assignee: –

Type: proposal

Priority: minor

Status: open

Component: parser

Votes: 0

Watchers: 1