This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: monitor changes to iptables
- From: Arkady <arkady dot miasnikov at gmail dot com>
- To: Daniel Doron <danielmeirdoron at gmail dot com>
- Cc: William Cohen <wcohen at redhat dot com>, systemtap at sourceware dot org
- Date: Fri, 13 Oct 2017 18:31:13 +0300
- Subject: Re: monitor changes to iptables
- Authentication-results: sourceware.org; auth=none
- References: <CAFwN=+w5JXcD7wT=fyvpM2L=Fc2wdVDBWMH0ef5Tm==oFb_fkw@mail.gmail.com> <0d43b4f5-7f71-c397-fdea-0fbb6e7b36bf@redhat.com> <CAFwN=+xuV5rmGPPjaEgnL2Be5Qmg+MJQb7BW_iehpSrnHwS3SA@mail.gmail.com> <41c613cb-18ca-0188-de7a-f29770bb4590@redhat.com> <CAFwN=+x6pS5ME8CbUvqBNJ-Khuezh1bArt5Xxc3uEpJeMdZKVw@mail.gmail.com> <CANA-60oxCf9pjsGyc2ByvESE0CTiDswLmRSoNimN259x=XbLUg@mail.gmail.com>
Sorry, this is a better link
http://elixir.free-electrons.com/linux/latest/source/net/netfilter/nfnetlink.c#L151
On Fri, Oct 13, 2017 at 6:28 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> You are looking for preferably exported hooks in
> http://elixir.free-electrons.com/linux/v2.6.33/source/net/netfilter
> Specifically you can start looking around
> http://elixir.free-electrons.com/linux/latest/source/net/netlink/af_netlink.c#L1861
> - this is the point where a netlink configuration packet hist the
> netfilter API.
>
> On Fri, Oct 13, 2017 at 6:16 PM, Daniel Doron <danielmeirdoron@gmail.com> wrote:
>> Hi William,
>>
>> I am building an EDR Agent (End point detection and response) which
>> role is to gather various information about activities of different
>> processes and able to detect abnormal activity. One of the required
>> sensors is a detector for iptable changes. A an example of threat
>> using iptable rules is a malware which has gained access to the system
>> and leaks information via port knocking method. Just one example...
>> My goal is to gather information using SystemTap from inside the
>> Kernel to avoid as much as possible being detected or thwarted.
>> I hope this clarifies the goal.
>>
>> -Daniel
>>
>>
>> On Wed, Oct 11, 2017 at 5:45 PM, William Cohen <wcohen@redhat.com> wrote:
>>> On 10/11/2017 12:47 AM, Daniel Doron wrote:
>>>> Hi William,
>>>> Thanks for the suggestion. Correct me if I am wrong but:
>>>> 1. auditctl does not provide real time / online logging facility
>>>> 2. I would have to parse its logs to the get the info I want
>>>> 3. Does it also use kprobes to get the info? I'll need to strace it to
>>>> see how it works...
>>>>
>>>> I was thinking maybe monitor the ip_tables module directly, but I will
>>>> need to figure out the relevant functions...
>>>
>>> Hi Daniel,
>>>
>>> The auditctl suggestion was a quick off the top of the head thought about some place that would have that information. There is a timestamp in the audit log information, so if one knowns when the problems occurs it should be possible to identify the events in the audit log happening around that time.
>>>
>>> It would be useful to describe what the problem that is being investigated. That background would some context to steer the discussion towards approaches that would best solve the problem.
>>>
>>> -Will
>>>>
>>>>
>>>>
>>>> On Tue, Oct 10, 2017 at 11:17 PM, William Cohen <wcohen@redhat.com> wrote:
>>>>> On 10/10/2017 10:49 AM, Daniel Doron wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am trying to figure out a way to monitor and log changes to iptables
>>>>>> (netfilter). Any ideas would be appreciated...
>>>>>>
>>>>>> Thanks.
>>>>>> Daniel.
>>>>>>
>>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> Would you need to use systemtap for this or would using auditctl as mentioned in the following be sufficient?
>>>>>
>>>>> https://unix.stackexchange.com/questions/206891/audit-on-changes-to-the-running-iptables-configuration
>>>>>
>>>>>
>>>>> -Will
>>>