ulogd homepage: http://www.gnumonks.org/projects/
-
Installation
$ sudo apt-get install ulogd
$ sudo apt-get install ulogd-mysql
-
Configure LOGEMU
plugin="/usr/lib/ulogd/ulogd_LOGEMU.so"
-
Configure MYSQL
$ sudo vim /etc/ulogd.conf
plugin="/usr/lib/ulogd/ulogd_MYSQL.so" [MYSQL] table="ulog" pass="ulog" user="ulog" db="ulogd" host="localhost"
create database
neo@master:~$ mysql -u root -p -A mysql Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 9 Server version: 5.0.51a-3ubuntu5.1-log (Ubuntu) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> create database ulogd; Query OK, 1 row affected (0.07 sec) mysql> grant all privileges on ulogd.* to ulog@localhost identified by 'ulog'; Query OK, 0 rows affected (0.09 sec) mysql> flush privileges; Query OK, 0 rows affected (0.02 sec) mysql> source /usr/share/doc/ulogd-mysql/mysql.table Query OK, 0 rows affected (0.05 sec) mysql> exit; Bye neo@master:~$
-
Iptables
iptables -A INPUT -p tcp --dport 80 -j ULOG iptables -A FORWARD -j ULOG
-
Starting
$ sudo /etc/init.d/ulogd start
-
testing
logemu
neo@master:~$ tail -f /var/log/ulog/syslogemu.log Oct 20 12:54:07 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30048 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952440 WINDOW=64608 ACK URGP=0 Oct 20 12:54:22 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30294 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK URGP=0 Oct 20 12:54:32 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=30481 DF PROTO=TCP SPT=2080 DPT=80 SEQ=1732529774 ACK=1543952441 WINDOW=64608 ACK FIN URGP=0 Oct 20 12:55:27 master IN=eth0 OUT= MAC=00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 SRC=192.168.245.1 DST=192.168.245.129 LEN=48 TOS=00 PREC=0x00 TTL=128 ID=31444 DF PROTO=TCP SPT=2087 DPT=80 SEQ=866215326 ACK=0 WINDOW=65535 SYN URGP=0
mysql
mysql> select count(*) from ulog; +----------+ | count(*) | +----------+ | 8 | +----------+ 1 row in set (0.03 sec) mysql> select id, raw_mac from ulog; +----+--------------------------------------------+ | id | raw_mac | +----+--------------------------------------------+ | 1 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 2 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 3 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 4 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 5 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 6 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 7 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 8 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | | 9 | 00:0c:29:b0:6b:d0:00:50:56:c0:00:08:08:00 | +----+--------------------------------------------+ 9 rows in set (0.00 sec)
共有四个参数可供使用:
1.--ulog-nlgroup
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-nlgroup 2
指定向哪个netlink组发送包,比如-- ulog-nlgroup 2。一共有32个netlink组,它们被简单地编号位1-32。默认值是1。
2.--ulog-prefix
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-prefix "SSH connection attempt: "
指定记录信息的前缀,以便于区分不同的信息。使用方法和 LOG的prefix一样,只是长度可以达到32个字符。
3.--ulog-cprange
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-cprange 100
指定每个包要向“ULOG在用户空间的代理”发送的字节数,如--ulog-cprange 100,
表示把整个包的前100个字节拷贝到用户空间记录下来,其中包含了这个包头,还有一些包的引导数据。默认值是0,表示拷贝整个包,不管它有多大。
4.--ulog-qthreshold
iptables -A INPUT -p TCP --dport 22 -j ULOG --ulog-qthreshold 10
告诉ULOG在向用户空间发送数据以供记录之前,要在内核里收集的包的数量,如--ulog-qthreshold 10。
这表示先在内核里积聚10个包,再把它们发送到用户空间里,它们会被看作同一个netlink的信息,只是由好几部分组成罢了。
默认值是1,这是为了向后兼容,因为以前的版本不能处理分段的信息
原文出处:Netkiller 系列 手札
本文作者:陈景峯
转载请与作者联系,同时请务必标明文章原始出处和作者信息及本声明。
