log outbound port 80 connections

List overview All Threads
Download

newer

older

Netscape Directory Server 6?

Re: [CentOS] 32 bit applications...

Tony Schreiner

5 Feb 2008 5 Feb '08

4:56 p.m.

Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.

iptables?

Thanks Tony Schreiner Boston College

Show replies by date

Ray Van Dolson

5 Feb 5 Feb

5 p.m.

On Tue, Feb 05, 2008 at 11:56:48AM -0500, Tony Schreiner wrote:

...

iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "WWW "

You might want to tack --syn on there as well to only log the packet initiating the connection instead of packets for the whole stream.

Ray

Tony Schreiner

5:11 p.m.

On Feb 5, 2008, at 12:00 PM, Ray Van Dolson wrote:

...

Thanks for that.

Followup. Can I associate anything in the log record with the process. I see the SPT but, the connection appears to be short, I can't find the port in netstat or lsof (not sure if those apply to source ports).

Tony

Robert Spangler

10 p.m.

On Tuesday 05 February 2008 12:00, Ray Van Dolson wrote:

...

iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "WWW "

I was thinking more along these lines for a rule:

iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j LOG --log-prefix "[WWW] : " --log-tcp-options --log-ip-options

-- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org

John R Pierce

5:15 p.m.

Tony Schreiner wrote:

...

Is there a way to log outbound connections to a specific port (80)? CentOS 4.6.

assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools.

Tony Schreiner

5:19 p.m.

On Feb 5, 2008, at 12:15 PM, John R Pierce wrote:

...

To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on.

Tony

Ray Van Dolson

5:27 p.m.

...

The LOG target lets you display the user id of the process I believe, but not the PID. There might be some iptables extensions out there that would do what you're looking for. Don't know them off the top of my head however.

Alternately, perhaps you could use SELinux for this? I know its audit logs would give you the level of detail you're looking for, but getting the policy written for it might be challenging.

Ray

John R Pierce

5:29 p.m.

Tony Schreiner wrote:

...

ah. tcpdump -i ethX tcp port 80

(and prepare for a flood of data).

Ray Van Dolson

5:34 p.m.

On Tue, Feb 05, 2008 at 09:29:30AM -0800, John R Pierce wrote:

...

If you decide to use tcpdump at all, maybe just limit to SYN packets as well:

tcpdump -n -i ethX 'tcp port 80 and tcp[tcpflags] & tcp-syn != 0'

Ray

Bill Campbell

5:31 p.m.

On Tue, Feb 05, 2008, Tony Schreiner wrote:

...

In that case, you might want to use ``lsof -i :80'' to see processes using port 80. Once one has an interesting PID, then using ``lsof -p PID'' will show everything that process is using including the full path to the executing program.

Bill -- INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

The only logical reason to take guns away from responsible people is to give irresponsible people an edge in the perpetration of their crimes against us. -- The Idaho Observer, Vol. 1, No. 2 February 1997

6249

Age (days ago)

6249

Last active (days ago)

discuss@lists.centos.org

9 comments

5 participants

tags (0)

participants (5)

Bill Campbell
John R Pierce
Ray Van Dolson
Robert Spangler
Tony Schreiner