Thursday, March 15, 2007

Daemonlogger: let's log

Marty(Snort) has written a packet logger/soft tap which is called daemonlogger where you can download here -

http://www.snort.org/dl/daemonlogger/daemonlogger-0.7.tar.gz

I haven't looked into it yet until I have talked to him today, thus I just downloaded and installed it with pretty straight forward steps -

shell>./configure --prefix=/usr/local/stow/daemonlogger-0.7

shell>make && make install

shell>cd /usr/local/stow

shell>stow daemonlogger-0.7

Checking daemonlogger version -

shell>daemonlogger -v

-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved

shell>daemonlogger -h

USAGE: daemonlogger [-options]
-c Log packets and exit
-d Daemonize at startup
-f Load BPF filter from
-h Show this usage statement
-i Grab packets from interface
-l Log to directory
-m Generate log files and quit
-n Set output filename prefix to
-o Disable logging, retransmit data from
to
-p Use (path and filename)
-s Rollover the log file every
-t Rollover the log file every
-v Show daemonlogger version

shell>daemonlogger -i rl1 -o vr0 -p /nsm/daemonlogger-rl1.pid -d
[-] Interface set to rl1
[-] Tap output interface set to vr0[-] Pidfile configured to "/nsm/daemonlogger-rl1.pid"
[-] Daemon mode set

-*> DaemonLogger <*- Version 0.7 By Martin Roesch (C) Copyright 2006-2007 Sourcefire Inc., All rights reserved trinity:/nsm# tcpdump -i vr0 tcpdump: WARNING: vr0: no IPv4 address assigned tcpdump: listening on vr0, link-type EN10MB 17:44:22.340032 pr-in-f19.google.com.www > 192.168.0.155.2660: P 4107897218:4107897246(28) ack 3442614823 win 7200
17:44:22.340042 192.168.0.155.2660 > pr-in-f19.google.com.www: . ack 28 win 7504 (DF)
17:44:25.340047 192.168.0.155.4024 > pr-in-f19.google.com.www: . 4081159920:4081161360(1440) ack 3322996791 win 44330 (DF)
17:44:25.340062 192.168.0.155.4024 > pr-in-f19.google.com.www: P 1440:1766(326) ack 1 win 44330 (DF)
17:44:25.340073 192.168.0.155.1617 > zelazny.freenode.net.6667: P 1979289541:1979289553(12) ack 1468261941 win 16022 (DF)

The daemonlogger also supports pcap file rollver based on size and time, this is pretty useful to avoid writing external support scripts for it. I like this similar feature since I have used tethereal.

You can also deploy similar kind of setup that has been done by Richard which is described here using PF or in his Extrusion Detection book -

http://taosecurity.blogspot.com/2005/07/distributed-traffic-collection-with-pf.html

Just build a router box with 4 Network Interfaces(sk0-sk3) -

Router
External Interface(sk0) - Internet Facing
Internal Interface(sk1) - Internal Network

Soft tap
sk2 - Only watches port 80 traffics
sk3 - Monitor everything except port 80

Writing simple bpf filter to the file -

shell>echo 'port 80' > sensor-sk2.fil

shell>echo '! port 80' > sensor-sk3.fil


Running daemonlogger in soft tap mode -

shell>daemonlogger -f sensor-sk2.fil -i sk0 -o sk2 -d

shell>daemonlogger -f sensor-sk3.fil -i sk0 -o sk3 -d

All the port 80 traffics wil be transmitted to sk2 interface and the rest will be transmitted to sk3 interface. It is so simple to build distributed sensor/traffic collectors with daemonlogger.

Done.

Tag Richard's words -
One would have hoped the Pf dup-to function could send traffic to directly connected interfaces without the involvement of any IP addresses. Unfortunately, my testing revealed that assigning IP addresses to interfaces on both sides of the link is required.

The answer is daemonlogger, have fun!

Enjoy
(;])

4 comments:

Anonymous said...

Hi!
link in post : http://taosecurity.blogspot.com/2005/07/distributed-traffic-collection-with-pf.html - Page Not Found

C.S.Lee said...

anonymous,

Thanks for notification, it works now.

Anonymous said...

Nice work!!! Daemonlogger..... i will test it later....

Anonymous said...

Very interesting!