[CentOS] log outbound port 80 connections
Is there a way to log outbound connections to a specific port (80)? CentOS 4.6. iptables? Thanks Tony Schreiner Boston College ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Tue, Feb 05, 2008 at 11:56:48AM -0500, Tony Schreiner wrote: Is there a way to log outbound connections to a specific port (80)? CentOS 4.6. iptables? iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix WWW You might want to tack --syn on there as well to only log the packet initiating the connection instead of packets for the whole stream. Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Feb 5, 2008, at 12:00 PM, Ray Van Dolson wrote: On Tue, Feb 05, 2008 at 11:56:48AM -0500, Tony Schreiner wrote: Is there a way to log outbound connections to a specific port (80)? CentOS 4.6. iptables? iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix WWW You might want to tack --syn on there as well to only log the packet initiating the connection instead of packets for the whole stream. Ray Thanks for that. Followup. Can I associate anything in the log record with the process. I see the SPT but, the connection appears to be short, I can't find the port in netstat or lsof (not sure if those apply to source ports). Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Feb 5, 2008, at 12:15 PM, John R Pierce wrote: Tony Schreiner wrote: Is there a way to log outbound connections to a specific port (80)? CentOS 4.6. assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools. To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on. Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on. The LOG target lets you display the user id of the process I believe, but not the PID. There might be some iptables extensions out there that would do what you're looking for. Don't know them off the top of my head however. Alternately, perhaps you could use SELinux for this? I know its audit logs would give you the level of detail you're looking for, but getting the policy written for it might be challenging. Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Tue, Feb 05, 2008, Tony Schreiner wrote: On Feb 5, 2008, at 12:15 PM, John R Pierce wrote: Tony Schreiner wrote: Is there a way to log outbound connections to a specific port (80)? CentOS 4.6. assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools. To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on. In that case, you might want to use ``lsof -i :80'' to see processes using port 80. Once one has an interesting PID, then using ``lsof -p PID'' will show everything that process is using including the full path to the executing program. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 The only logical reason to take guns away from responsible people is to give irresponsible people an edge in the perpetration of their crimes against us. -- The Idaho Observer, Vol. 1, No. 2 February 1997 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
Tony Schreiner wrote: assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools. To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on. ah. tcpdump -i ethX tcp port 80 (and prepare for a flood of data). ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Tue, Feb 05, 2008 at 09:29:30AM -0800, John R Pierce wrote: Tony Schreiner wrote: assuming you want to log user web browsing traffic, configuring a Squid transparent proxy at your network border would be the best way. its logfiles are quite similar to those of a webserver, so you can use a wide range of log analysis tools. To get more specific about what's going on. My network services have informed me that the machine is probing other systems at a high rate. An infection of some sort. And I'm trying to track down what's going on. ah. tcpdump -i ethX tcp port 80 (and prepare for a flood of data). If you decide to use tcpdump at all, maybe just limit to SYN packets as well: tcpdump -n -i ethX 'tcp port 80 and tcp[tcpflags] tcp-syn != 0' Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] log outbound port 80 connections
On Tuesday 05 February 2008 12:00, Ray Van Dolson wrote: iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix WWW I was thinking more along these lines for a rule: iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j LOG --log-prefix [WWW] : --log-tcp-options --log-ip-options -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
