Emergency notification.

***instronics*** · February 21st, 2003, 07:29 PM

Let us presume you (the admin) is not behind his desk, and your firewall is under attack, how would you find out if your not there? I would like to present 2 solutions that might help notice an attack or any nergative remarks within your logfiles.

The first possibility is to have your firewall email you the logs with the critical information.

The easiest way is to write a small shell script that reads (grep) your /var/log/messages and looks for lines which include terms such as deny, drop, etc... You can use cron jobs to grep the var/log/messages regularly, which incase of a match will email you the log at once. This is only advisable if the attacker does not have a chance to capture that packet (the email), or if he manages to delete his tracks before. The example i am about to show you below is my actual setup for that script.

#!/bin/sh
#
# /usr/local/bin/alarm
#
TIMESTAMP='date +"%C%y%m%d%H%M"'
if grep DENY /var/log/messages;
then
grep DENY /var/log/messages | mail -s attackalarm instronics@esn.gr
cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
fi
#EOF

This script can be configured by crons to run every minute. The attacker then only has one minute between his first contact with the blocked port and the moment the alarm email is sent. The negative side with this email solution is, that the email actually has to be read.

Another solution is with the help of an application called yaps (yet another pager software). This aplication will send you an SMS to your mobile phone or pager. After you have installed and configured yaps (see http://mitglied.lycos.de/HMGerhards/linux/en/how01.html for how todo this) create a little script so that "grep" will notify you that way. Example.

#!/bin/sh
#
# /usr/local/bin/alarm
#
TIMESTAMP='date +"%C%y%m%d%H%M"'
if grep DENY /var/log/messages;
then
yaps 0933243455 attackalarm
cp /var/log/messages /var/log/messages.$TIMESTAMP > /var/log/messages
fi
#EOF

This will send you an sms with the logfiles in question. In combination with the other script (email script) this can be a very helpful feature. This script can also be run every minute using cronjobs.

Nother way to secure that the attacker does not "block" these scripts would be to have another computer connected via serial console, which takes over the logging process. That way the logging computer would not be reachable from the network.

NOTE: i know that many of you hate the use of crons, this is only an example. You could use other means of executing the scripts regularly every minute. I hope this helps you.

Good luck.

Cheers.

**Trust_Not_123** · February 21st, 2003, 07:33 PM

this may very well go into the tut forum too.

very interesting...might look into it

**Uhu** · February 21st, 2003, 08:24 PM

A very useful post I think. I agree to Trust_Not_123 that it should be moved to the tutorials.

However I would avoid posting my email-address and - I'm not sure whether "yaps xxxxxxxxxxx attackalarm" contains your pager-no?! I don't use a pager. Unless you like to get spammed, you should be aware, that this forum is not only being read by AO-Members.

Just my 0.02 €

Uhu

**Midridth** · February 21st, 2003, 08:45 PM

Hmm cool stuff, I always wondered how to do that. Thanks for the post.

***ammo*** · February 21st, 2003, 09:04 PM

While this is a potentially usefull script, using it on firewall logs usually isn't all that helpful:
your firewall either blocks or let trough packets, the ones it blocks and logs might be of malicious nature, but they are already blocked. This also leads to a "needle in the haystack problem"... As soon as you have relativly good bandwidth, you start getting flooded by malicious/or not packets that will be blocked. If you get paged or e-mailed for every blocked packet, you'll soon start ignoring the alerts... Granted, a high volume of alerts in a small timeframe might be a valid alert, but still...

Moreover, the most dangerous packets are often/always the ones that are allowed trough, for example, a packet destined for a web server, on port 80; packet is let through, but it happend to have a bufferoverflow exploiting payload... The firewall didn't block so it didn't log it, and you still got hacked....

I'd be more interested in running such a script on an IDS logs, where the signal/noise ratio is better or where each log entry (when properly tuned) might require human attention as it is more of an ongoing thing (unlike a firewall where if the packet is blocked, well it's blocked.)

On the other hand, I think such scripts might be at better use if it's on the lookout for something like "segfault" (having a deamon segfault is a good indication of a buffer overflow attempt), where their's a strong chance that something is really going wrong...

Not that it's a bad idea or bad script, just that by experiance, getting alreted for each packet blocked at the firewall gets tireing very quickly and is usually not worth it.

Ammo

***instronics*** · February 22nd, 2003, 01:19 PM

Indeed ammo, your very right indeed with what you said. The basic idea was only to introduce the script itself. Like you said, it would indeed be also nice to introduce it to the IDS logs. Its not a problem at all. Same script, just a diff file to grep from. And i could agree that its a way of spamming your own mobile or pager. LOL. It really also depends what you are looking for in the logfiles. These scripts can be used for many things, not only security logs.

Uhu, dont worry. The mail and the mobile number is not the real ones. Although i said that its my real settings (which it is), i did edit the number and the mail account.

Are there any other ways of accomplishing any of this? Any more ideas of how to use these kinds of scripts? Share your thoughts here.

Cheers.

Thread: Emergency notification.

Thread Tools

Display

Emergency notification.

Posting Permissions