Creating Custom Log Rules - McAfee SG310 Administration Manual

System Log

Creating custom log rules

There are also some specific rules to detect various attacks such as smurf and teardrop. When outbound
traffic (from LAN to WAN) is blocked by custom rules configured in the GUI, the resultant dropped packets
are also logged.
The <prefix> for all these rules is varied according to their type.
Currently used prefixes for arriving traffic:
Default Deny — Packet did not match any rule, drop it
Invalid — Invalid packet format detected
Smurf — Smurf attack detected
Spoof — Invalid IP address detected
SynFlood — SynFlood attack detected
Custom — Custom rule dropped outbound packet
A typical Default Deny: looks similar to the following:
Mar 27 09:31:19 2003 klogd: Default deny: IN=eth1
OUT=MAC=00:d0:cf:00:ff:01:00:e0:29:65:af:e9:08:00 SRC=140.103.74.181 DST=12.16.16.36
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=46341 DF PROTO=TCP SPT=46111 DPT=139 WINDOW=5840
RES=0x00 SYN URGP=0
That is, a packet arriving from the WAN (IN=eth1) and bound for the appliance itself (OUT=<nothing>)
from IP address 140.103.74.181 (SRC=140.103.74.181), attempting to go to port 139 (DPT=139,
Windows file sharing) was dropped.
If the packet is traversing the appliance to a server on the private network, the outgoing interface is eth0,
as shown in the following example:
Mar 27 09:52:59 2003 klogd: IN=eth1 OUT=eth0 SRC=140.103.74.181 DST=10.0.0.2 LEN=60
TOS=0x10 PREC=0x00 TTL=62 ID=51683 DF PROTO=TCP SPT=47044 DPT=22 WINDOW=5840 RES=0x00
SYN URGP=0
Packets going from the private network to the public come in eth0, and out eth1, as shown in the following
example:
Mar 27 10:02:51 2003 klogd: IN=eth0 OUT=eth1 SRC=10.0.0.2 DST=140.103.74.181 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=62830 DF PROTO=TCP SPT=46486 DPT=22 WINDOW=5840 RES=0x00
SYN URGP=0
Creating custom log rules
Additional log rules can be configured to provide more detail if desired. For example, by analyzing the rules
in the Packet Filter Rules menu, it is possible to provide additional log messages with configurable prefixes
(that is, other than Default Deny:) for some allowed or denied protocols.
Depending on how the LOG rules are constructed, it may be possible to differentiate between inbound
(from WAN to LAN) and outbound (from LAN to WAN) traffic. Similarly, traffic attempting to access services
on the appliance itself can be differentiated from traffic trying to pass through it.
The examples below can be entered on the Command Line Interface (telnet), or into the Packet Filter Rules
page in the Management Console. Rules entered on the CLI are not permanent; however, so while it may
be useful for some quick testing, it is something to be wary of.
To log permitted inbound access requests to services hosted on the appliance, the rule should look
something like this:
iptables -I INPUT -j LOG -p tcp --syn -s <X.X.X.X/XX> -d <Y.Y.Y.Y/YY> --dport <Z>
--log-prefix <prefix>
This logs any TCP (-p tcp) session initiations (--syn) that arrive from the IP address/netmask X.X.X.X/XX
(-s ...) and are going to Y.Y.Y.Y/YY, destination port Z (--dport).
374 McAfee UTM Firewall 4.0.4 Administration Guide