Upon execution and upon being restarted, iplog reads a list of configuration rules from its configuration file. The default location of this file is
/etc/iplog.conf.
NOTATION
Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.
Optional parameters will be denoted by enclosing the parameter in square brackets [like this].
The '|' character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.
COMMENTS
The '#' character marks the beginning of a comment. C-style (/**/) comments are accepted, also.
RULE CLASSES
There are nine classes of rules supported in the
iplog
configuration file. These rules are:
set rules,interface rule,priority rule,facility rule,user rule,group rule,promisc rule,logfile rule,
and
pid-file rule.
SET RULE SYNTAX
Set rules allow for boolean program options to be enabled or disabled at runtime.
The syntax for "set" rules is:
set <keyword> [true|false]
SET KEYWORDS
tcp
Log or ignore TCP traffic.
udp
Log or ignore UDP traffic.
icmp
Log or ignore ICMP traffic.
frag
Enable or disable detection of IP fragment attacks (duplicated and overlapping fragments).
smurf
Enable or disable detection of "smurf" attacks.
bogus
Enable or disable detection of TCP packets with invalid TCP flags set. Programs such as nmap and queso may set these flags while trying to perform OS detection.
log_ip
Enable or disable logging IP addresses in addition to host names.
log_dest
Log the destination address of IP packets that are received.
stdout
Enable or disable logging to stdout. This option is incompatible with the "logfile" keyword.
no_fork
Enable or disable running in the foreground.
verbose
Enable or disable verbose mode. In verbose mode, packets with invalid checksums and truncated headers are logged.
fin_scan
Enable or disable the detection of TCP FIN scans.
syn_scan
Enable or disable the detection of TCP SYN scans.
udp_scan
Enable or disable the detection of UDP scans and UDP floods.
portscan
Enable or disable the detection of TCP port scans.
fool_nmap
Enable or disable a mechanism that attempts to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, enabling this option will also cause most of nmap's "stealth" scans to fail.
xmas_scan
Enable or disable the detection of TCP XMas scans.
null_scan
Enable or disable the detection of TCP null scans.
get_ident
Enable or disable fetching IDENT info for connections to local ports that are listening. This option is only available on Linux.
dns_cache
Enable or disable the use of a built-in DNS cache.
syn_flood
If this option is enabled,
iplog
will stop resolving IP addresses (until the flood ends) if a SYN flood is detected.
ignore_dns
If this option is enabled, DNS traffic from hosts listed in
/etc/resolv.conf
will be ignored.
ping_flood
Enable or disable detection of ICMP ping floods.
scans_only
Enable or disable detecting only scans and floods.
traceroute
Enable or disable detection of traceroute.
udp_resolve
Enable or disable looking up the host names for the source and destination hosts for UDP traffic.
tcp_resolve
Enable or disable looking up the host names for the source and destination hosts for TCP traffic.
icmp_resolve
Enable or disable looking up the host names for the source and destination hosts for ICMP traffic.
disable_resolver
Enable or disable turning off host name lookups for all traffic.
INTERFACE RULE SYNTAX
The interface rule is used to define the interfaces on which
iplog
will listen.
The rule format for the interface rule is:
interface <if0,...,ifN>
Where ifX is an interface name.
PRIORITY RULE SYNTAX
The priority rule is used to define the
syslog(3)
priority (or level) that
iplog
will use.
The rule format for the priority rule is:
priority <syslog_priority>
See the
syslog(3)
for a list of valid priority levels.
FACILITY RULE SYNTAX
The facility rule is used to define the
syslog(3)
facility that
iplog
will use.
The rule format for the facility rule is:
facility <syslog_facility>
See the
syslog(3)
for a list of valid syslog facilities.
USER RULE SYNTAX
The user rule is used to define which user
iplog
will run as.
The user rule format is:
user <UID|username>
GROUP RULE SYNTAX
The group rule is used to define which group
iplog
will run with.
The group rule format is:
group <GID|group>
LOGFILE RULE SYNTAX
The logfile rule is used to define a file to which
iplog
will log its output.
iplog
can either log to syslog, to stdout or to a logfile, but only one.
The logfile rule format is:
logfile <path_to_logfile>
PID-FILE RULE SYNTAX
The pid-file rule is used to specify the location of
iplog's
pid file. The user that
iplog
will run as should have write access to the directory the specified file is in.
The location of the pid file defaults to /var/run/iplog.pid.
This option should be used
when
iplog
is set to run as a user that does not have write access to
/var/run.
The pid-file rule format is:
pid-file <path_to_pid-file>
PROMISC RULE SYNTAX
The promisc rule enables
iplog
to operate in promiscuous mode. In promiscuous mode,
iplog
examines traffic to all visible hosts on the local network.
The rule format for the promisc rule is:
promisc <network0,...,networkN>
FILTER RULE SYNTAX
The rule format for TCP and UDP filters is:
<log|ignore> <tcp|udp>
from [!]<address>[/<mask>]]
[sport [!]<port-start[:[<port-end>]]]
[to [!]<address>[/<mask>]]
[dport [!]<port-start[:[<port-end>]]>]
(All on one line)
The rule format for ICMP filters is:
<log|ignore> icmp
[type [!]<type>]
[from [!]<address>[/<mask>]]
[to [!]<address>[/<mask>]]
(All on one line)
FILTER KEYWORDS
The sense of a keyword can be inverted by prefixing its argument with a '!' character.
log
Log packets matching the rule. Either this or
ignore
must be the first keyword specified in a rule. The
log
and
ignore
keywords cannot be used in the same rule.
ignore
Ignore packets matching the rule. Either this or
log
must be the first keyword specified in a rule. The
log
and
ignore
keywords cannot be used in the same rule.
tcp
Specifies this rule should be applied to TCP traffic. Exactly one of the
tcp, udp and icmp
keywords must be used in each rule.
udp
Specifies this rule should be applied to UDP traffic. Exactly one of the
tcp, udp and icmp
keywords must be used in each rule.
icmp
Specifies this rule should be applied to ICMP traffic. Exactly one of the
tcp, udp and icmp
keywords must be used in each rule.
from <Address parameter>
The
from
keyword specifies the source address(es) the rule will match.
to <Address parameter>
The
to
keyword specifies the destination address(es) the rule will match.
sport <Port parameter>
The
sport
keyword specifies the source port(s) the rule will match. This keyword is applicable only to TCP and UDP rules.
dport <Port parameter>
The
dport
keyword specifies the destination port(s) the rule will match. This keyword is applicable only to TCP and UDP rules.
type <Type parameter>
The
type
keyword specifies an ICMP type. This keyword is applicable only to ICMP rules.
FILTER PARAMETER SYNTAX
An asterisk character ('*') may be used as a wildcard for any parameter.
Address parameters
The syntax for an address parameter is
[!]<addr>[/<mask>]
The
addr
token specifies the address the rule will match. This token may be specified in quad-dot notation or as a fully qualified domain name (FQDN). The
mask
token is optional, and is used to specify a range of addresses the rule will match. The
mask
token may be specified either in quad-dot notation, as a FQDN or in CIDR notation. If the
mask
token is present, the
addr
token will be treated as a network address.
Port parameters
The syntax for a port parameter is
[!]<port-start[:[<port-end>]]>
The
port-start
token specifies the port the rule will match. This token may be specified as either a decimal number or as a service name (e.g. "telnet"). The optional
port-end
token is used to define port ranges the rule will match. The
port-end
token also may be specified as either a decimal number or a service name. When the
port-end
token is present, the
port-start
token is interpreted as the first port the rule will match. Suffixing
port-start
with a ':' but omitting the
port-end
parameter causes
port-end
to be implicitly set to 65535 (i.e. all ports greater than or equal to
port-start
will be matched). In general, "port1:portN" will match all ports from port1 to portN, inclusive. "port1:" matches all ports from port1 to 65535, inclusive.
Type parameters
Either integers or a string can be used to specify a type parameter. Obviously, only an integer can be used to describe a type that has no name. "ICMP_" may precede any of the names. Legal type parameters follow:
Case is ignored in all places, except for in a service name (i.e. "telnet").
*
All parameters are optional except "log" or "ignore" and "tcp" "udp" and "icmp". Either log or ignore must be specified for each rule. Exactly one of the "tcp" "udp" and "icmp" parameters must be specified for each rule.
*
The order in which the rules are listed is not significant in regard to "log" or "ignore." The entries will be reordered such that all "log" statements precede all "ignore" statements.
EXAMPLES
Run as user nobody.
user nobody
Run with group nogroup.
group nogroup
Log to /var/log/iplog
logfile /var/log/iplog
Use the syslog(3) facility log_daemon.
facility log_daemon
Use the syslog(3) priority (level) log_info.
priority log_info
Log the IP address as well as the hostname of packets.
set log_ip true
Do not log the destination of packets.
set log_dest false
Ignore DNS traffic from nameservers in /etc/resolv.conf.
set ignore_dns
Listen on eth0 and eth1
interface eth0,eth1
Ignore DNS traffic from nameservers.
ignore udp from 192.168.0.1 sport 53
ignore udp from 192.168.0.2 sport 53
NOTE:
(Using the -d option will add similar rules for all nameservers listed in /etc/resolv.conf).
Log connections with source port ftp-data (20) to ports 1045-1055, inclusive.
log tcp dport 1045:1055 sport ftp-data
Ignore ftp-data connections from to ports 1024 and above.
ignore tcp dport 1024: sport 20
Ignore WWW connections.
ignore tcp dport 80
Ignore ICMP unreach.
ignore icmp type unreach
or
ignore icmp type 3
Ignore ICMP traffic with any type other than ECHO
ignore icmp type !echo
Ignore UDP traffic from the 127.1.2 network
ignore udp from 127.1.2/24
or
ignore udp from 127.1.2/255.255.255.0
