Dave Bullock / eecue

photographer, director of engineering: crowdrise, photojournalist, hacker, nerd, geek, human

Monitoring Traffic / Intrusions

I wrote an article a few months ago about using freebsd and ipfilter to do transparent bridging in combination with ipfw. This article goes into further detail about monitoring the firewall.

In my previous article I talked about zeebeede. I've decided against using at as I found that net-snmp now allows for the daemon to bind to tcp instead of udp. This makes it easy to set up an ssh tunnel which will give us a secure means of transfering the snmp queries over the wire...

The monitoring server, which is dual-homed and sits both on the internal network and the firewall network. As you will see from the previous article, the firewalls are freebsd servers with 3 network interfaces in them. The two interfaces that are bridged don't have IP addresses. The third interface is on a private network that only the bridges and the monitoring server site on. The network has no route to the outside world or even to the internal network.

The monitoring server connects with a secure tunnel to each of the servers it is going to monitor:

ssh -f -N -L 169:127.0.0.1:161 server_to_monitor

If the server that it is going to monitor is also a bridge it connects to them for the mysql connection:

with a command called snort_sensor:

ssh -f -N -R 3306:127.0.0.1:3306 $1
ssh $1 /usr/sbin/snort_start


which opens a tunnel and runs a command called snort_start:

/usr/bin/killall snort
/bin/sleep 3
/usr/local/bin/snort -c /etc/snort/snort.conf -D -i xl0


so this starts up snort which i have set to log to mysql.

on my monitoring server i have remark
which gives me an easy to read status report of recent attack sigs. it is still in its alpha phase and will someday write firewall rules to block attackers and much more...

i am using cacti to create graphs of the snmp data. I wrote two scripts that set up graphs for either: servers or the bridge ipfilter counters.

the bridge ipfilter counters script creates a graph of all the differnect protocols i am counting. it will be easy to modiy to script to graph all blocked packets.

ipfilter's counters can be read by snmp using this MIB in conjunction with this perl script.

my next step is to integrate the graphs into remark so that they are displayed on the main page. i also want to set up graphing of attack signatures. i will have to write some php code for this.

i am also now releasing the next version of remark which can be found here.

until next time....

-eek