On Wed, 2002-04-10 at 19:11, Alex Kent wrote: > > How possible would it be to add the ability to log connection tracking > information? Specifically something that did summary logging about > individual connections. It would be useful to be able to log at the > conclusion of a connection src/dst IPs/ports, number bytes/packets > moved, length of time the connection existed, and perhaps if the > connection ended in some abnormal manner. > > It seems like netfilter would be an excellent place to gather this > information and would provide an excellent addition to an integrated > intrusion detection system. Plus, you could make pretty statistics and > graphs by compiling the log data. :) > > How hard would it be to adapt the state module to do this? Comments on > whether this would actually be useful?
There is partital support for this in the ctnetlink patch. together with a program called ctrace you can monitor the creation and ending of connections. It doesn't have support for bytes/packets out of the box but there's a patch that adds that. I don't know exactly what it can report as I havn't used ctnetlink for that, I've only tested it briefly and saw that it reported stuff :) The ctnetlink in netfilter cvs is DANGEROUS, it will crash your kernel at some point if you try to extract connection information from conntrack, I have this fixed in a version here that I'll submit to cvs soon, I just want to see if I can fix a few more things. So if you want you can look at how ctrace does things (it uses a library called libctnetlink to do the dirty work, just look at how ctrace uses libctnetlink) and maybe build another small application that can log the way you want. Again, the ctnetlink patch in cvs will CRASH your kernel. You have been warned :) My partly fixed version has been running in a production router and beeing used for ident lookups for a few weeks now without problems. There's a few bugs to fix and some features to implement. I havn't been able to crash my fixed version in any way, the original version crashes very easily. I'll probably submit my version to cvs real soon as the current version is so unstable. -- /Martin Never argue with an idiot. They drag you down to their level, then beat you with experience.
