Ulogd

Z Wiki UnArt Slavičín
Skočit na navigaciSkočit na vyhledávání

Závislosti

Nainstalujeme:

apt-get install bzip2 libnfnetlink-dev libmysqlclient-dev libpcap-dev conntrack automake libtool autoconf

Zavedeme moduly do jádra:

modprobe nf_conntrack
modprobe nf_conntrack_ipv4
modprobe nf_conntrack_netlink

Postupně ručně nainstalujeme další programy od netfilter:

cd /tmp/
wget http://www.netfilter.org/projects/libmnl/files/libmnl-1.0.3.tar.bz2
tar xjvf libmnl-1.0.3.tar.bz2
cd libmnl-1.0.3
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_acct/files/libnetfilter_acct-1.0.0.tar.bz2
tar xjvf libnetfilter_acct-1.0.0.tar.bz2
cd libnetfilter_acct-1.0.0/
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.1.tar.bz2
tar xjvf libnetfilter_conntrack-1.0.1.tar.bz2
cd libnetfilter_conntrack-1.0.1/
./configure
make
make install
cd /tmp/
wget http://www.netfilter.org/projects/libnetfilter_log/files/libnetfilter_log-1.0.1.tar.bz2
tar xjvf libnetfilter_log-1.0.1.tar.bz2
cd libnetfilter_log-1.0.1/
./configure
make
make install

Instalace

Stáhneme a rozbalíme:

cd /tmp/
wget http://www.netfilter.org/projects/ulogd/files/ulogd-2.0.0.tar.bz2
tar jxvf ulogd-2.0.0.tar.bz2

Tomáš Dulík napsal modul pro filtrování spojení na minimální množství přenesených dat. Jeho instalace:

cd /tmp/ulogd-2.0.0/filter/
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_BYTES.c
wget http://wiki.slavicin.unart.cz/images/1/17/ulogd_filter_makefile_am_dulik.patch -O /tmp/ulogd_filter_makefile_am_dulik.patch
patch -p0 Makefile.am /tmp/ulogd_filter_makefile_am_dulik.patch
rm Makefile.in
cd ../
autoheader && aclocal && automake && autoconf && autoreconf

Nyní již mělo stačit:

./configure
make
make install

Konfigurace

# Example configuration for ulogd
# $Id$
# Adapted to Debian by Achilleas Kotsis <achille@debian.gr>

[global]
######################################################################
# GLOBAL OPTIONS
######################################################################


# logfile for status messages
logfile="/var/log/ulogd.log"

# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8)
loglevel=1

######################################################################
# PLUGIN OPTIONS
######################################################################

# We have to configure and load all the plugins we want to use

# general rules:
# 1. load the plugins _first_ from the global section
# 2. options for each plugin in seperate section below


plugin="/usr/local/lib/ulogd/ulogd_inppkt_NFLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_ULOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_inppkt_UNIXSOCK.so"
plugin="/usr/local/lib/ulogd/ulogd_inpflow_NFCT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IFINDEX.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2STR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_IP2BIN.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTPKT.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_HWHDR.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_PRINTFLOW.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_MARK.so"
plugin="/usr/local/lib/ulogd/ulogd_output_LOGEMU.so"
plugin="/usr/local/lib/ulogd/ulogd_output_SYSLOG.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_XML.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_SQLITE3.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_OPRINT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_NACCT.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PCAP.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_PGSQL.so"
plugin="/usr/local/lib/ulogd/ulogd_output_MYSQL.so"
#plugin="/usr/local/lib/ulogd/ulogd_output_DBI.so"
plugin="/usr/local/lib/ulogd/ulogd_raw2packet_BASE.so"
plugin="/usr/local/lib/ulogd/ulogd_filter_BYTES.so"

stack=ct_destroy:NFCT,filter_bytes:BYTES,mysql_ct:MYSQL

[filter_bytes]
#tohle odfiltruje vsechna spojeni, ktera maji download < reply_bytes a upload < orig_bytes
orig_bytes=2000
reply_bytes=2000

[ct_destroy]
hash_enable=1
#we want to log the whole communication from the first packet, therefore we need 
#the events "CREATE" and "DESTROY"  
event_mask=5

#[mark_big_destroyed]
#choose another value if you use the connmark bit 0x100 for something else! 
#mark = 0x100
#mask = 0x100
# iptables -t mangle -I POSTROUTING 1 -m connbytes --connbytes 1000: --connbytes-dir both --connbytes-mode bytes -j CONNMARK --or-mark 0x100

[mysql_ct]
db="freenetis"
host="127.0.0.1"
user="ulogd"
table="ulog2_ct"
pass="MTP3DnJXky"
procedure="INSERT_CT"

  1. this is a stack for logging packet send by system via LOGEMU
  2. stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
  1. this is a stack for packet-based logging via LOGEMU
  2. stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
  1. this is a stack for ULOG packet-based logging via LOGEMU
  2. stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
  1. this is a stack for packet-based logging via LOGEMU with filtering on MARK
  2. stack=log2:NFLOG,mark1:MARK,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
  1. this is a stack for flow-based logging via LOGEMU
  2. stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU
  1. this is a stack for flow-based logging via OPRINT
  2. stack=ct1:NFCT,op1:OPRINT
  1. this is a stack for NFLOG packet-based logging to PCAP
  2. stack=log2:NFLOG,base1:BASE,pcap1:PCAP
  1. this is a stack for logging packet to MySQL
  2. stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL
  1. this is a stack for logging packet to PGsql after a collect via NFLOG
  2. stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL
  1. this is a stack for logging packets to syslog after a collect via NFLOG
  2. stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG
  1. this is a stack for flow-based logging to MySQL
  2. stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL
  1. this is a stack for flow-based logging to PGSQL
  2. stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL
  1. this is a stack for flow-based logging to PGSQL without local hash
  2. stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL


  1. this is a stack for flow-based logging in NACCT compatible format
  2. stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT
  1. [ct1]
  2. netlink_socket_buffer_size=217088
  3. netlink_socket_buffer_maxsize=1085440
  1. [ct2]
  2. netlink_socket_buffer_size=217088
  3. netlink_socket_buffer_maxsize=1085440
  4. hash_enable=0
  1. Logging of system packet through NFLOG
  2. [log1]
  3. netlink multicast group (the same as the iptables --nflog-group param)
  4. Group O is used by the kernel to log connection tracking invalid message

group=0

  1. netlink_socket_buffer_size=217088
  2. netlink_socket_buffer_maxsize=1085440
  3. set number of packet to queue inside kernel
  4. netlink_qthreshold=1
  5. set the delay before flushing packet in the queue inside kernel (in ms)
  6. netlink_qtimeout=1000
  1. packet logging through NFLOG for group 1
  2. [log2]
  3. netlink multicast group (the same as the iptables --nflog-group param)

group=1 # Group has to be different from the one use in log1

  1. netlink_socket_buffer_size=217088
  2. netlink_socket_buffer_maxsize=1085440
  3. If your kernel is older than 2.6.29 and if a NFLOG input plugin with
  4. group 0 is not used by any stack, you need to have at least one NFLOG
  5. input plugin with bind set to 1. If you don't do that you may not
  6. receive any message from the kernel.
  7. bind=1
  1. packet logging through NFLOG for group 2, numeric_label is
  2. set to 1
  3. [log3]
  4. netlink multicast group (the same as the iptables --nflog-group param)
  5. group=2 # Group has to be different from the one use in log1/log2
  6. numeric_label=1 # you can label the log info based on the packet verdict
  7. netlink_socket_buffer_size=217088
  8. netlink_socket_buffer_maxsize=1085440
  9. bind=1
  1. [ulog1]
  2. netlink multicast group (the same as the iptables --ulog-nlgroup param)
  3. nlgroup=1
  4. numeric_label=0 # optional argument
  1. [emu1]
  2. file="/var/log/ulogd_syslogemu.log"
  3. sync=1
  1. [op1]
  2. file="/var/log/ulogd_oprint.log"
  3. sync=1
#[pcap1]
#sync=1

#[mysql1]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_PACKET_FULL"

#[mysql2]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_CT"

#[pgsql1]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog"
#pass="changeme"
#procedure="INSERT_PACKET_FULL"

#[pgsql2]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog2_ct"
#pass="changeme"
#procedure="INSERT_CT"

#[pgsql3]
#db="nulog"
#host="localhost"
#user="nupik"
#table="ulog2_ct"
#pass="changeme"
#procedure="INSERT_OR_REPLACE_CT"

#[dbi1]
#db="ulog2"
#dbtype="pgsql"
#host="localhost"
#user="ulog2"
#table="ulog"
#pass="ulog2"
#procedure="INSERT_PACKET_FULL"

#[sys2]
#facility=LOG_LOCAL2

#[nacct1]
#sync = 1

#[mark1]
#mark = 1