[c-nsp] LOG ACL

matt carter matt at iseek.com.au
Tue Jan 31 21:02:36 EST 2006



if its an instaneous right now thing perhaps just enable netflow cache
temporarily so you can do a show ip cache flow and see what flows are
transiting the router? trojans and other stuff stick out like a sore thumb
because they represent large numbers of flows with small numbers of packets
sweeping ips usually all to the same dest port so its a very distinct
signature you can easily jump on the offending src host. we use a system
that analyses flows from our collectors and identifies excessive flows in
order to proactively alert infected customers rather than just letting them
scan the internet for god knows how long until they realise or the ongoing
resource/network consumption attracts 3rd party attention.

if its historical info you need and dont have collector then perhaps start
with ip accounting. even though it isnt going to give you port numbers, the
signature of a infected host should still be very distinctive as it will be
scanning large sections of the internet turning over lots of unique (perhaps
sequential) src dst pairs in comparison to the other hosts which should be a
lot more under the radar so to speak so your main offender should still
stick out pretty heavily.

just an idea.

--matt



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Melvin C. Etheridge
> Sent: Wednesday, 1 February 2006 10:44 AM
> To: Cisco-Nsp
> Subject: Re: [c-nsp] LOG ACL
> 
> This would work on a temp basis on a DSL router with a few 
> hundred customers 
> would it not?
> 
> Mel
> 
> ----- Original Message ----- 
> From: "Cory Ayers" <cayers at ena.com>
> To: "Melvin C. Etheridge" <mele at enia.net>; "Cisco-Nsp" 
> <cisco-nsp at puck.nether.net>
> Sent: Tuesday, January 31, 2006 11:06 AM
> Subject: RE: [c-nsp] LOG ACL
> 
> 
> > I at least would like to know what ports are being used.
> >
> > TIA
> >
> > Mel
> 
> >From my experience, doing permit ip any any log on an 
> access-list does
> not show port numbers for TCP and UDP packets.  A line in the log
> typically looks like this:
> 
> %SEC-6-IPACCESSLOGP: list 134 permitted tcp w.x.y.z(0) -> 
> a.b.c.d(0), 1
> packet
> 
> To get a good idea of what is happening, you can put non-log 
> permits in
> for well-known ports, then log the entire range 1-65535.  I 
> only do this
> on end-site routers and definitely wouldn't recommend it on a high
> bandwidth core device.  You should really look at Netflow 
> accounting for
> high capacity environments.
> 
> logging buffered 65535 debugging
> access-list 134 permit tcp any any eq www
> access-list 134 permit tcp any eq www any
> access-list 134 permit tcp any any eq 443
> access-list 134 permit tcp any eq 443 any
> access-list 134 permit tcp any any eq smtp
> access-list 134 permit tcp any eq smtp any
> access-list 134 permit tcp any any eq pop3
> access-list 134 permit tcp any eq pop3 any
> access-list 134 permit udp any any eq domain
> access-list 134 permit udp any eq domain any
> access-list 134 permit udp any any eq ntp
> access-list 134 permit udp any eq ntp any
> access-list 134 permit udp any any eq snmp
> access-list 134 permit udp any eq snmp any
> access-list 134 permit tcp any any range 0 65535 log
> access-list 134 permit udp any any range 0 65535 log
> access-list 134 permit ip any any
> interface FastEthernet0/0
>  ip access-group 134 in
> 
> Then to see the log you simply "show logging" from the router 
> terminal.
> 
> Cheers,
> Cory
> 
> > ----- Original Message -----
> > From: "Melvin C. Etheridge" <mele at enia.net>
> > To: "Amol Sapkal" <amolsapkal at gmail.com>
> > Cc: "Cisco-Nsp" <cisco-nsp at puck.nether.net>
> > Sent: Monday, January 30, 2006 12:19 AM
> > Subject: Re: [c-nsp] LOG ACL
> >
> >
> > >I would really like to log all traffic on this host.
> > >
> > > The cust thinks they have a trojan and have not been able to track
> it
> > > down.
> > >
> > > Thanks!
> > >
> > > Mel
> > >  ----- Original Message -----
> > >  From: Amol Sapkal
> > >  To: Melvin C. Etheridge
> > >  Sent: Sunday, January 29, 2006 11:19 PM
> > >  Subject: Re: [c-nsp] LOG ACL
> > >
> > >
> > >  Melvin,
> > >
> > >  Are you looking at logging only the number of packets?
> > >  If yes, try put an explicit permit statement in your access-list.
> > >
> > >  Like,
> > >
> > >  access-list 100 permit ip host 1.1.1.1 any
> > >  access-list 100 permit ip any host 1.1.1.1
> > >
> > >
> > >
> > >  HTH,
> > >  Amol
> > >
> > >
> > >
> > >  On 1/30/06, Melvin C. Etheridge <mele at enia.net> wrote:
> > >    I would like to create a ACL to just log traffic to 
> and from a ip
> > going
> > >    through one of my adsl routers.
> > >
> > >    What would be the best way to word the ACL to do this?
> > >
> > >    Thanks,
> > >
> > >    Mel
> > >
> > >    _______________________________________________
> > >    cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > >    https://puck.nether.net/mailman/listinfo/cisco-nsp
> > >    archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > >
> > >
> > >
> > >  --
> > >  Warm regards,
> > >
> > >  Amol Sapkal
> > >
> > >  
> -------------------------------------------------------------------
> > >  "A new study shows that licking the sweat off
> > >  a frog can cure depression. The down side is,
> > >  the minute you stop licking, the frog gets
> > >  depressed again." - Jay Leno
> > >  
> -------------------------------------------------------------------
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list