Double-Check with Routers


This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."

Download it now to read this article plus other related content.

Conventional routers are the perfect network security auditing device. Take advantage of what they see.

    Requires Free Membership to View

Scripts: Simple Log Parsing
The following is a simple script you can use to parse router logs. The initial instructions copy the logs to a new location, so the originals remain intact for auditing purposes. The grep commands that follow look for potentially threatening traffic (e.g., an abnormally high number of TCP resets or attackers using ICMP) and stash them in a separate file for further analysis.
cp /var/log/messages.1 /root/logcheck/full_router.log
cd /root/logcheck
grep ' R ' full_router.log > resets.txt
grep udp full_router.log | grep '.53[: ]' > dns_udp.txt
grep tcp full_router.log | grep '.53[: ]' > dns_tcp.txt
grep '.25: ' full_router.log | grep ' S ' > smtp.txt
grep '.22[: ]' full_router.log > internal_ssh.txt
grep '.123: ' full_router.log > ntp.txt
grep '.3307[: ]' full_router.log > op-session-proxy.txt
grep unreachable full_router.log > icmp-unreachables.txt

Routers see everything that crosses your network. They direct the flow from LAN to LAN, and--with their access control lists (ACLs)--can regulate access to network segments. But, you're not getting the most out of your routers unless you're using them to help audit your security devices.

Router logs are a treasure trove of security intelligence that, with proper analysis, can help you be proactive and correct firewall configuration errors, tune IDSes and measure your network's security posture. The concept is simple: Compare what arrives at your enterprise's front door with what actually gets through.

Routers can locally store logs, but they have storage limits. The first step is to create a syslog server to collect external and internal router logs; the server can also consolidate logs from multiple routers for efficient reviews. From there, you can audit just about any device that generates logs, but we'll focus on firewalls and IDSes. First, though, let's see how you can use scripts to cut the job down to size.

Follow the Script
Dumping router logs into a readable text file is easy. Pulling logs from every border and internal router, then parsing them for meaningful, actionable intelligence isn't as simple.

Scripts can automate the retrieval of router logs and parse them on a regular schedule. These scripts should reflect your security policies--basically what kinds of traffic shouldn't be allowed. Key types of external traffic to look for are RPC and SNMP queries and NetBIOS scans, none of which should legitimately be coming into your network. In the case of NetBIOS, closing TCP/UDP ports 135-139 and 445 can head off a potential attack foreshadowed by a light probing.

The testing scripts can be written in any language and created at the same time as rule sets. However, scripts written in PERL using the simple grep command are quickly modifiable and easy to use. Grep is a powerful complement to a scripting language because it lets you quickly isolate important traffic. It would be almost impossible, for example, to see a DNS attack through 20,000 log entries; however, by parsing the data to show only the 30 lines associated with the DNS, the attack becomes much easier to spot. (See "Simple Log Parsing".)

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: