Re: monitor changes to iptables

[Daniel Doron <danielmeirdoron at gmail dot com>]

Hi Arkady,
As always, thank you for the input. I think I will aim directly at the
ip_tables module and probe the relevant functions there.

-Daniel

On Fri, Oct 13, 2017 at 6:37 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> Grep for EXPORT_SYMBOL in the netfilter folder returns a couple of
> promising leads. For example
> http://elixir.free-electrons.com/linux/latest/source/net/ipv4/netfilter/ip_tables.c#L1754
>
> On Fri, Oct 13, 2017 at 6:31 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
>> Sorry, this is a better link
>> http://elixir.free-electrons.com/linux/latest/source/net/netfilter/nfnetlink.c#L151
>>
>> On Fri, Oct 13, 2017 at 6:28 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
>>> You are looking for preferably exported hooks in
>>> http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
>>> Specifically you can start looking around
>>> http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
>>>  - this is the point where a netlink configuration packet hist the
>>> netfilter API.
>>>
>>> On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
>>>> Hi William,
>>>>
>>>> I am building an EDR Agent (End point detection and response) which
>>>> role is to gather various information about activities of different
>>>> processes and able to detect abnormal activity. One of the required
>>>> sensors is a detector for iptable changes. A an example of threat
>>>> using iptable rules is a malware which has gained access to the system
>>>> and leaks information via port knocking method. Just one example...
>>>> My goal is to gather information using SystemTap from inside the
>>>> Kernel to avoid as much as possible being detected or thwarted.
>>>> I hope this clarifies the goal.
>>>>
>>>> -Daniel
>>>>
>>>>
>>>> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>>>>> Hi William,
>>>>>> Thanks for the suggestion. Correct me if I am wrong but:
>>>>>> 1. auditctl does not provide real time / online logging facility
>>>>>> 2. I would have to parse its logs to the get the info I want
>>>>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>>>>> see how it works...
>>>>>>
>>>>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>>>>> need to figure out the relevant functions...
>>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>>>>
>>>>> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>>>>>
>>>>> -Will
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>>>>> (netfilter). Any ideas would be appreciated...
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>> Daniel.
>>>>>>>>
>>>>>>>
>>>>>>> Hi Daniel,
>>>>>>>
>>>>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>>>>
>>>>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>>>>
>>>>>>>
>>>>>>> -Will
>>>>>