This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: monitor changes to iptables

From: Daniel Doron <danielmeirdoron at gmail dot com>
To: William Cohen <wcohen at redhat dot com>
Cc: systemtap at sourceware dot org
Date: Fri, 13 Oct 2017 18:16:49 +0300
Subject: Re: monitor changes to iptables
Authentication-results: sourceware.org; auth=none
References: <CAFwN=+w5JXcD7wT=fyvpM2L=Fc2wdVDBWMH0ef5Tm==oFb_fkw@mail.gmail.com> <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com> <CAFwN=+xuV5rmGPPjaEgnL2Be5Qmg+MJQb7BW_iehpSrnHwS3SA@mail.gmail.com> <41c613cb-18ca-0188-de7a-f29770bb4590@redhat.com>

Hi William,

I am building an EDR Agent (End point detection and response) which
role is to gather various information about activities of different
processes and able to detect abnormal activity. One of the required
sensors is a detector for iptable changes. A an example of threat
using iptable rules is a malware which has gained access to the system
and leaks information via port knocking method. Just one example...
My goal is to gather information using SystemTap from inside the
Kernel to avoid as much as possible being detected or thwarted.
I hope this clarifies the goal.

-Daniel


On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>> Hi William,
>> Thanks for the suggestion. Correct me if I am wrong but:
>> 1. auditctl does not provide real time / online logging facility
>> 2. I would have to parse its logs to the get the info I want
>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>> see how it works...
>>
>> I was thinking maybe monitor the ip_tables module directly, but I will
>> need to figure out the relevant functions...
>
> Hi Daniel,
>
> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information.  There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>
> It would be useful to describe what the problem that is being investigated.  That background would some context to steer the discussion towards approaches that would best solve the problem.
>
> -Will
>>
>>
>>
>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>> Hi,
>>>>
>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>> (netfilter). Any ideas would be appreciated...
>>>>
>>>> Thanks.
>>>> Daniel.
>>>>
>>>
>>> Hi Daniel,
>>>
>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>
>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>
>>>
>>> -Will
>

Follow-Ups:
- Re: monitor changes to iptables
  - From: Arkady

References:
- monitor changes to iptables
  - From: Daniel Doron
- Re: monitor changes to iptables
  - From: William Cohen
- Re: monitor changes to iptables
  - From: Daniel Doron
- Re: monitor changes to iptables
  - From: William Cohen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]