monitor changes to iptables

monitor changes to iptables

[Daniel Doron]

Hi,

I am trying to figure out a way to monitor and log changes to iptables
(netfilter). Any ideas would be appreciated...

Thanks.
Daniel.

Re: monitor changes to iptables

[William Cohen]

On 10/10/2017 10:49 AM, Daniel Doron wrote:
> Hi,
> 
> I am trying to figure out a way to monitor and log changes to iptables
> (netfilter). Any ideas would be appreciated...
> 
> Thanks.
> Daniel.
> 

Hi Daniel,

Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?

https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration


-Will

Re: monitor changes to iptables

[Daniel Doron]

Hi William,
Thanks for the suggestion. Correct me if I am wrong but:
1. auditctl does not provide real time / online logging facility
2. I would have to parse its logs to the get the info I want
3. Does it also use kprobes to get the info? I'll need to strace it to
see how it works...

I was thinking maybe monitor the ip_tables module directly, but I will
need to figure out the relevant functions...



On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>> Hi,
>>
>> I am trying to figure out a way to monitor and log changes to iptables
>> (netfilter). Any ideas would be appreciated...
>>
>> Thanks.
>> Daniel.
>>
>
> Hi Daniel,
>
> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>
> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>
>
> -Will

Re: monitor changes to iptables

[William Cohen]

On 10/11/2017 12:47 AM, Daniel Doron wrote:
> Hi William,
> Thanks for the suggestion. Correct me if I am wrong but:
> 1. auditctl does not provide real time / online logging facility
> 2. I would have to parse its logs to the get the info I want
> 3. Does it also use kprobes to get the info? I'll need to strace it to
> see how it works...
> 
> I was thinking maybe monitor the ip_tables module directly, but I will
> need to figure out the relevant functions...

Hi Daniel,

The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.

It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.

-Will
> 
> 
> 
> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>> Hi,
>>>
>>> I am trying to figure out a way to monitor and log changes to iptables
>>> (netfilter). Any ideas would be appreciated...
>>>
>>> Thanks.
>>> Daniel.
>>>
>>
>> Hi Daniel,
>>
>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>
>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>
>>
>> -Will

Re: monitor changes to iptables

[Daniel Doron]

Hi William,

I am building an EDR Agent (End point detection and response) which
role is to gather various information about activities of different
processes and able to detect abnormal activity. One of the required
sensors is a detector for iptable changes. A an example of threat
using iptable rules is a malware which has gained access to the system
and leaks information via port knocking method. Just one example...
My goal is to gather information using SystemTap from inside the
Kernel to avoid as much as possible being detected or thwarted.
I hope this clarifies the goal.

-Daniel


On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>> Hi William,
>> Thanks for the suggestion. Correct me if I am wrong but:
>> 1. auditctl does not provide real time / online logging facility
>> 2. I would have to parse its logs to the get the info I want
>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>> see how it works...
>>
>> I was thinking maybe monitor the ip_tables module directly, but I will
>> need to figure out the relevant functions...
>
> Hi Daniel,
>
> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>
> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>
> -Will
>>
>>
>>
>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>> Hi,
>>>>
>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>> (netfilter). Any ideas would be appreciated...
>>>>
>>>> Thanks.
>>>> Daniel.
>>>>
>>>
>>> Hi Daniel,
>>>
>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>
>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>
>>>
>>> -Will
>

Re: monitor changes to iptables

[Arkady]

You are looking for preferably exported hooks in
http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
Specifically you can start looking around
http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
 - this is the point where a netlink configuration packet hist the
netfilter API.

On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
> Hi William,
>
> I am building an EDR Agent (End point detection and response) which
> role is to gather various information about activities of different
> processes and able to detect abnormal activity. One of the required
> sensors is a detector for iptable changes. A an example of threat
> using iptable rules is a malware which has gained access to the system
> and leaks information via port knocking method. Just one example...
> My goal is to gather information using SystemTap from inside the
> Kernel to avoid as much as possible being detected or thwarted.
> I hope this clarifies the goal.
>
> -Daniel
>
>
> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>> Hi William,
>>> Thanks for the suggestion. Correct me if I am wrong but:
>>> 1. auditctl does not provide real time / online logging facility
>>> 2. I would have to parse its logs to the get the info I want
>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>> see how it works...
>>>
>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>> need to figure out the relevant functions...
>>
>> Hi Daniel,
>>
>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>
>> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>>
>> -Will
>>>
>>>
>>>
>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>> Hi,
>>>>>
>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>> (netfilter). Any ideas would be appreciated...
>>>>>
>>>>> Thanks.
>>>>> Daniel.
>>>>>
>>>>
>>>> Hi Daniel,
>>>>
>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>
>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>
>>>>
>>>> -Will
>>

Re: monitor changes to iptables

[Arkady]

Sorry, this is a better link
http://elixir.free-electrons.com/linux/latest/source/net/netfilter/nfnetlink.c#L151

On Fri, Oct 13, 2017 at 6:28 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> You are looking for preferably exported hooks in
> http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
> Specifically you can start looking around
> http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
>  - this is the point where a netlink configuration packet hist the
> netfilter API.
>
> On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
>> Hi William,
>>
>> I am building an EDR Agent (End point detection and response) which
>> role is to gather various information about activities of different
>> processes and able to detect abnormal activity. One of the required
>> sensors is a detector for iptable changes. A an example of threat
>> using iptable rules is a malware which has gained access to the system
>> and leaks information via port knocking method. Just one example...
>> My goal is to gather information using SystemTap from inside the
>> Kernel to avoid as much as possible being detected or thwarted.
>> I hope this clarifies the goal.
>>
>> -Daniel
>>
>>
>> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>>> Hi William,
>>>> Thanks for the suggestion. Correct me if I am wrong but:
>>>> 1. auditctl does not provide real time / online logging facility
>>>> 2. I would have to parse its logs to the get the info I want
>>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>>> see how it works...
>>>>
>>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>>> need to figure out the relevant functions...
>>>
>>> Hi Daniel,
>>>
>>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>>
>>> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>>>
>>> -Will
>>>>
>>>>
>>>>
>>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>>> (netfilter). Any ideas would be appreciated...
>>>>>>
>>>>>> Thanks.
>>>>>> Daniel.
>>>>>>
>>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>>
>>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>>
>>>>>
>>>>> -Will
>>>

Re: monitor changes to iptables

[Arkady]

Grep for EXPORT_SYMBOL in the netfilter folder returns a couple of
promising leads. For example
http://elixir.free-electrons.com/linux/latest/source/net/ipv4/netfilter/ip_tables.c#L1754

On Fri, Oct 13, 2017 at 6:31 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> Sorry, this is a better link
> http://elixir.free-electrons.com/linux/latest/source/net/netfilter/nfnetlink.c#L151
>
> On Fri, Oct 13, 2017 at 6:28 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
>> You are looking for preferably exported hooks in
>> http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
>> Specifically you can start looking around
>> http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
>>  - this is the point where a netlink configuration packet hist the
>> netfilter API.
>>
>> On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
>>> Hi William,
>>>
>>> I am building an EDR Agent (End point detection and response) which
>>> role is to gather various information about activities of different
>>> processes and able to detect abnormal activity. One of the required
>>> sensors is a detector for iptable changes. A an example of threat
>>> using iptable rules is a malware which has gained access to the system
>>> and leaks information via port knocking method. Just one example...
>>> My goal is to gather information using SystemTap from inside the
>>> Kernel to avoid as much as possible being detected or thwarted.
>>> I hope this clarifies the goal.
>>>
>>> -Daniel
>>>
>>>
>>> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>>>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>>>> Hi William,
>>>>> Thanks for the suggestion. Correct me if I am wrong but:
>>>>> 1. auditctl does not provide real time / online logging facility
>>>>> 2. I would have to parse its logs to the get the info I want
>>>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>>>> see how it works...
>>>>>
>>>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>>>> need to figure out the relevant functions...
>>>>
>>>> Hi Daniel,
>>>>
>>>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>>>
>>>> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>>>>
>>>> -Will
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>>>> (netfilter). Any ideas would be appreciated...
>>>>>>>
>>>>>>> Thanks.
>>>>>>> Daniel.
>>>>>>>
>>>>>>
>>>>>> Hi Daniel,
>>>>>>
>>>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>>>
>>>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>>>
>>>>>>
>>>>>> -Will
>>>>

Re: monitor changes to iptables

[Daniel Doron]

Hi Arkady,
As always, thank you for the input. I think I will aim directly at the
ip_tables module and probe the relevant functions there.

-Daniel

On Fri, Oct 13, 2017 at 6:37 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> Grep for EXPORT_SYMBOL in the netfilter folder returns a couple of
> promising leads. For example
> http://elixir.free-electrons.com/linux/latest/source/net/ipv4/netfilter/ip_tables.c#L1754
>
> On Fri, Oct 13, 2017 at 6:31 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
>> Sorry, this is a better link
>> http://elixir.free-electrons.com/linux/latest/source/net/netfilter/nfnetlink.c#L151
>>
>> On Fri, Oct 13, 2017 at 6:28 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
>>> You are looking for preferably exported hooks in
>>> http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
>>> Specifically you can start looking around
>>> http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
>>>  - this is the point where a netlink configuration packet hist the
>>> netfilter API.
>>>
>>> On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
>>>> Hi William,
>>>>
>>>> I am building an EDR Agent (End point detection and response) which
>>>> role is to gather various information about activities of different
>>>> processes and able to detect abnormal activity. One of the required
>>>> sensors is a detector for iptable changes. A an example of threat
>>>> using iptable rules is a malware which has gained access to the system
>>>> and leaks information via port knocking method. Just one example...
>>>> My goal is to gather information using SystemTap from inside the
>>>> Kernel to avoid as much as possible being detected or thwarted.
>>>> I hope this clarifies the goal.
>>>>
>>>> -Daniel
>>>>
>>>>
>>>> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>>>>> Hi William,
>>>>>> Thanks for the suggestion. Correct me if I am wrong but:
>>>>>> 1. auditctl does not provide real time / online logging facility
>>>>>> 2. I would have to parse its logs to the get the info I want
>>>>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>>>>> see how it works...
>>>>>>
>>>>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>>>>> need to figure out the relevant functions...
>>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>>>>
>>>>> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>>>>>
>>>>> -Will
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>>>>> (netfilter). Any ideas would be appreciated...
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> Daniel.
>>>>>>>>
>>>>>>>
>>>>>>> Hi Daniel,
>>>>>>>
>>>>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>>>>
>>>>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>>>>
>>>>>>>
>>>>>>> -Will
>>>>>

Re: monitor changes to iptables

[Frank Ch. Eigler]

Daniel Doron <danielmeirdoron@gmail.com> writes:

> As always, thank you for the input. I think I will aim directly at the
> ip_tables module and probe the relevant functions there.

See also the netfilter.* probes in systemtap, which expose the suite
of netfilter packet send/receive/forward hooks.

- FChE