Worms and Logs

From: Vince Hillier (vince@vince.lansystems.com)
Date: 10/03/01

Subject: Worms and Logs
From: Vince Hillier <vince@vince.lansystems.com>
To: security-basics@securityfocus.com
Date: 03 Oct 2001 11:38:38 -0500
Message-Id: <1002127118.16708.18.camel@big>

  Hello, many of you, like myself are probably just about sick of all
the noise that has been happening in our logs lately, making routine
audits take alot longer then they should, filling harddisks rather
quickly, and just being a big annoyance.

  Anyway, I currently am running the 2.2.x series of the the Linux
kernel, which prevents me from running IPTables and filtering these
requests with the string option (Oh I want it bad :P), what is
preventing me from upgrading to the Linux 2.4 series with IPTables is
the lack of kernel patches for security, like the openwall kernel
patches. They make my life alot easier, and keep users happy at the
same time!

  I am only aware of 1 patch that exists for the 2.4 series, and that is
one by the name of grsecurity. Has anyone had any experience with
grsecurity? Any feedback? positive/negative? I would really like to
stick with openwall, but they said there would be no support for the 2.4
series until 2.4.10, that is here now and I just checked their site and
it says there will be no support for the 2.4 series until at least
2.4.15. So I'm not sure on the status of their patches.

  Anyhow my main reason for writing this is to ask you what methods have
you deployed to keep your logs from getting filled with garbage like
Nimda, I am logging 16 hits per host, at a nasty rate causing Apache and
my IDS to go nuts. At one point I just shut the webserver off, it
doesn't have anything of much importance on it, but it does serve as a
reference/journal for me, which I think is rather important. Before you
say just block port 80 from the world, and allow specific hosts access,
this is not possible as there is some outside people who frequent the
site from various mobile locations... it would be very hard to get all
their IP addresses (most of which are dynamic) and allow just that
traffic. Plus a new visitor is always good ;)

  Some of the methods I have considered/deployed are routing all
offeding traffic to, this is done by taking the IP addresses
from the apache/IDS logs then adding them to the routing table with as the gateway - at first this was very effective, when Nimda
was in it's prime, there was literally tonnes of repeat offenders, now
it is just unique hosts for the most part. I have also considered
deploying the squid proxy to block out offeding requests before they hit
the webserver. That would cut alot of the noise in the Apache logs - at
least. And of course I've debated on upgrading to 2.4, but haven't due
to reasons stated above.

- Vince

Relevant Pages

  • Warnings with TSO on em
    ... I've been seeing in the logs a lot of messages like the following: ... but I suspect they started when I upgraded from 6.3 to 7.2. ... "ifconfig em0 -tso" made this noise go away. ... Now I'm looking for some more insight: if it's only a performance problem, I don't think I'll be hit, but could there be other side effects? ...
  • Re: Ensemble averaging for multiplicative noise
    ... I denoise by taking logs of each y_k and averaging the M ... In the ideal case (ie additive mean 0 gaussian noise) this ... Mulitplicative noise often results in lognormal distributions. ...
  • Re: Dealing with BSM Audit Logs
    ... I am in search of tools to deal with audit logs. ... example, I suspect that this noise is from ufsdump/restore, ...
  • Re: [PATCH] Add source address to sunrpc svc errors
    ... One misbehaving client could create a lot of noise in the ... logs. ... who is throwing trash at my machine. ...
  • Re: Spyware assessment techniques
    ... what others are doing in regards to spyware assessments and if anyone ... larger sampling of hosts on a network during these assessments. ... Audit logs of the systems themselves ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ...