Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
iptables?
Thanks Tony Schreiner Boston College
On Tue, Feb 05, 2008 at 11:56:48AM -0500, Tony Schreiner wrote:
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
iptables?
iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "WWW "
You might want to tack --syn on there as well to only log the packet initiating the connection instead of packets for the whole stream.
Ray
On Feb 5, 2008, at 12:00 PM, Ray Van Dolson wrote:
On Tue, Feb 05, 2008 at 11:56:48AM -0500, Tony Schreiner wrote:
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
iptables?
iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "WWW "
You might want to tack --syn on there as well to only log the packet initiating the connection instead of packets for the whole stream.
Ray
Thanks for that.
Followup. Can I associate anything in the log record with the process. I see the SPT but, the connection appears to be short, I can't find the port in netstat or lsof (not sure if those apply to source ports).
Tony
On Tuesday 05 February 2008 12:00, Ray Van Dolson wrote:
iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "WWW "
I was thinking more along these lines for a rule:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j LOG --log-prefix "[WWW] : " --log-tcp-options --log-ip-options
Tony Schreiner wrote:
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
On Feb 5, 2008, at 12:15 PM, John R Pierce wrote:
Tony Schreiner wrote:
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
Tony
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
The LOG target lets you display the user id of the process I believe, but not the PID. There might be some iptables extensions out there that would do what you're looking for. Don't know them off the top of my head however.
Alternately, perhaps you could use SELinux for this? I know its audit logs would give you the level of detail you're looking for, but getting the policy written for it might be challenging.
Ray
Tony Schreiner wrote:
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
ah. tcpdump -i ethX tcp port 80
(and prepare for a flood of data).
On Tue, Feb 05, 2008 at 09:29:30AM -0800, John R Pierce wrote:
Tony Schreiner wrote:
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
ah. tcpdump -i ethX tcp port 80
(and prepare for a flood of data).
If you decide to use tcpdump at all, maybe just limit to SYN packets as well:
tcpdump -n -i ethX 'tcp port 80 and tcp[tcpflags] & tcp-syn != 0'
Ray
On Tue, Feb 05, 2008, Tony Schreiner wrote:
On Feb 5, 2008, at 12:15 PM, John R Pierce wrote:
Tony Schreiner wrote:
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.
assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.
In that case, you might want to use ``lsof -i :80'' to see processes using port 80. Once one has an interesting PID, then using ``lsof -p PID'' will show everything that process is using including the full path to the executing program.
Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
The only logical reason to take guns away from responsible people is to give irresponsible people an edge in the perpetration of their crimes against us. -- The Idaho Observer, Vol. 1, No. 2 February 1997
-
Bill Campbell -
John R Pierce -
Ray Van Dolson -
Robert Spangler -
Tony Schreiner