Description:

In continuation of previous articles[1][2] which were intended for analyzing Email and DNS streams, today I want to share a solution that intended for network monitoring. The solution allows to see IP-addresses, which tried to connect to the host once in a day and put data of these connections into Elasticsearch.

Example:


Diagram

Configurations:


rsyslog:

template(name="iptables" type="list" option.json="on") {
  constant(value="{")
  constant(value="\"timestamp\":\"")    property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"host\":\"")      property(name="hostname")
  constant(value="\",\"interface\":\"") property(name="msg" regex.type="ERE" regex.match="0" regex.nomatchmode="BLANK" regex.expression="([a-z]{2}[a-z]*[0-9]\\/*[0-9]*\\/*[0-9]*)((\\.[0
-9]*)?)")
  constant(value="\",\"proto\":\"")     property(name="msg" regex.type="ERE" regex.match="0" regex.submatch="2" regex.nomatchmode="BLANK" regex.expression="(PROTO=)([A-Z]*)" )
  constant(value="\",\"src\":\"")       property(name="msg" regex.type="ERE" regex.match="0" regex.nomatchmode="BLANK" regex.expression="[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3
}" )
  constant(value="\",\"src_port\":\"")  property(name="msg" regex.type="ERE" regex.match="0" regex.submatch="2" regex.nomatchmode="BLANK" regex.expression="(SPT=)([0-9]*)" )
  constant(value="\",\"dst\":\"")       property(name="msg" regex.type="ERE" regex.match="1" regex.nomatchmode="BLANK" regex.expression="[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3
}" )
  constant(value="\",\"dst_port\":\"")  property(name="msg" regex.type="ERE" regex.match="0" regex.submatch="2" regex.nomatchmode="BLANK" regex.expression="(DPT=)([0-9]*)" )
  constant(value="\"}")
}

ruleset(name="iptables") {
  action(type="omelasticsearch"
    server="elastic.livelace.ru"
    serverport="9200"
    template="iptables"
    searchIndex="iptables"
    searchType="events"
    queue.type="disk"
    queue.size="500000"
    queue.filename="iptables"
    queue.maxdiskspace="5g"
    queue.saveonshutdown="on"
    action.resumeretrycount="-1"
  )
}

if $programname == "passivedns" and $msg contains 'IN' then {
  *.* call passivedns
} else if $msg contains 'iptables_tracking:' then {
  *.* call iptables
} else {
  *.* call syslog
}


iptables:

iptables -N TRACKING
iptables -A TRACKING -j LOG --log-prefix "iptables_tracking: "
iptables -A TRACKING -m recent --name tracking --set

iptables -I INPUT -i eth0.2  -m recent --name tracking ! --rcheck --seconds 86400 --reap -j TRACKING


xt_recent:

root@localhost:~# cat /etc/modprobe.d/iptables.conf
options xt_recent ip_list_tot=3000000 ip_list_hash_size=0