Difference between revisions of "Firewall Logs"
m (→Log format) |
m (→Log format) |
||
Line 3: | Line 3: | ||
The ASL firewall will log a lot of information about a firewall event. A typical log entry may look like this: | The ASL firewall will log a lot of information about a firewall event. A typical log entry may look like this: | ||
− | ''Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 DF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)'' | + | ''Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)'' |
Revision as of 14:26, 24 March 2014
Contents |
Log format
The ASL firewall will log a lot of information about a firewall event. A typical log entry may look like this:
Mar 24 14:11:11 host kernel: DROP_ASL_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Example Element | Explanation |
Mar 24 14:11:11 | Date/Time Stamp |
Host: | Hostname |
DROP_ASL_INPUT | Application |
IN=eth0 | Incoming Interface |
OUT= | Outgoing Interface |
MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 | MAC Address |
SRC=1.2.3.4 | Source IP |
DST=5.6.7.8 | Destination IP |
LEN=48 | Total length of IP packet in bytes |
TOS=0x00 | Type Of Service field. This is rarely used, and is replaced on most systems by DS and ECN. |
PREC=0x00 | The "Precedence" Type of Service field. This is rarely used, and is replaced on most systems by DS and ECN. |
TTL=115 | Remaining Time To Live in "hops" |
ID=12197 | Unique ID for this IP datagram. If this is a fragment, all fragments share the same ID. |
DF | Dont Fragment Flag (optional) |
PROTO=TCP | Protocol |
SPT=3619 | Source Port |
DPT=110 | Destination Port |
SEQ=1917628740 | Receive Sequence number |
ACK=0 | Same as the Receive Sequence number above, but for the other end of the TCP connection. Normally only seen on the reply packet. |
WINDOW=65535 | The TCP Receive Window size. |
RES=0x00 | Reserved bits. This field is used, optionally, for things like ECNE and CWR. |
SYN URGP=0 | Packet Flags. |
OPT (020405B401010402) | TCP Options (optional) |
Auditing rules
These rules do not block anything, they just log allowed traffic or special events.
Whitelists
ASL_WHITELIST
This logs when an IP on the firewall whitelist has been allowed to connect to the system. It does not block or shun anything.
Port Knocking
Advanced Port Knock System
ASL_KNOCK
This logs when a potential knock packet comes in when using the advanced portknocking system. It does not block or shun anything.
ASL_KNOCK_IN
This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.
Simple Port Knock System
ASL_SKNOCK
This logs when a potential knock packet comes in when using the simply portknocking system. It does not block or shun anything.
ASL_SKNOCK_IN
This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.
Blocking/Dropping rules
Automatic Blocks
ASL_AR_DROP
ASL has blocked packets from an IP that was automatically shunned by ASL.ASL_AUTOSHUN_BLOCK
User Defined Blocks
DROP_ASL_TORTIX
And IP address has been blocked from connecting the ASL web console based on the IP addresses you have configured to allow access. ASL does not block any IPs by default to the ASL web console.
ASL_SMTP_OUT
ASL has blocked a user that you have not authorized from sending SMTP traffic outbound. ASL does not block any users from sending SMTP traffic outbound by default.
ASL_BLACKLIST_BLOCK
ASL has blocked traffic from an IP that you placed on the ASL blacklist. This blacklist is manually created by the user, and ASL will not add IPs to this blacklist. The blacklist is empty by default.
ASL_GEO_BLOCK
ASL has blocked traffic from a country that you have configured ASL to block via ASLs geoblocking. This is manually configured by the user, and ASL will not automatically add countries to the geoblocking lists. No countries are blocked by default.
DROP_ASL_U_RATE
The Ratelimit you configured for this UDP port has been exceeded. ASL does not set any rate limits by default.
DROP_ASL_T_RATE
The Ratelimit you configured for this TCP port has been exceeded. ASL does not set any rate limits by default.
DROP_ASL_INPUT
ASL has dropped an inbound packet because you have configured it to do this. ASL does not block connections to any ports by default.
ASL_OUTPUT
ASL has dropped a packet because you have configured it to do this. ASL does not block outbound connections to any ports by default.
RBLS
ASL_TOR_BLOCK
ASL has blocked an IP that is a TOR exit node because you have configured ASL to block tor exit nodes. ASL does not block this by default.
ASL_AUTOSHUN_BLOCK
ASL has blocked an IP that is on the autoshun RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_CIARMY_BLOCK
ASL has blocked an IP that is on the ciarmy RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_DSHIELD_BLOCK
ASL has blocked an IP that is on the dshield RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_ELASSO_BLOCK
ASL has blocked an IP that is on the spamhaus elasso RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_LASSO_BLOCK
ASL has blocked an IP that is on the spamhaus lasso RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_EMERGING_THREATS_BLOCK
ASL has blocked an IP that is on the emerging threats RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_OPENBL_BLOCK
ASL has blocked an IP that is on the openbl RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
ASL_OPENPROXIES_BLOCK
ASL has blocked an IP that is on the openproxies RBL list because you have configured ASL to block IPs from this RBL. ASL does not block this by default.
Bad Packets
ASL_FRAGMENT
ASL has blocked a fragmented packet. ASL, when configured properly, has a stateful firewall that will assemble fragmented packets. If this rule is triggered this means someone has either disabled stateful inspection for user defined rules, or the system is not using the ASL kernel and a third party kernel does not support stateful firewalls.
DROP_ASL_TOOSMALL
ASL has blocked a packet that is too small to be valid.
ASL_INVALID_INPUT
ASL had dropped an incoming invalid packet.
ASL_INVALID_FWD
ASL had dropped an invalid packet in the FORWARD chain.
ASL_INVALID_OUTPUT
ASL had dropped an outgoing invalid packet.
Port scans
DROP_ASL_ADVSCAN
ASL has detected and blocked a portscan using the advanced portscan detector in ASL.
DROP_ASL_PORTSCAN
ASL has detected and blocked a portscan.
DROP_ASL_GSCAN
ASL has detected a potential banner grab portscan.
DROP_ASL_CNSCAN
ASL has detected and blocked a connect() portscan.
DROP_ASL_SSCAN
ASL has detected and blocked a potential SYN portscan.
DROP_ASL_STSCAN
ASL has detected and blocked a stealth portscan.
DROP_ASL_MSS
ASL has detected a packet that is too small to be valid.