Log monitoring



  • is  there a way that I can monitor a certain address using any log tool in pfsense? my ISP claims that my network is being used to attack a certain IP, but when I use the 'Status -> System logs' tool to search for the possibly attack source, it only shows logs for the past six hours or so (2000 lines, the max config); I really needed a bigger report or a tool that I could use to monitor the traffic and mark the entries that match the addresses…

    any suggestion would be welcome!

    thanks



  • What if you place a pass rule to such address with a logging enabled? This will allow you to place a label and then grep the log for such label. But I have no idea on how to get a bigger log (/var/log/filter.log).



  • You may need To check log in pass rules and send pfsense logs to a syslog server.

    Also close external access to pfsense box and change password.

    If you think that your box has been owned, reinstall it.



  • first of all, thanks for the reply, guys!

    in fact, pfsense box hasn't been taken, but one of my internal client box is probrably infacted with some virus and being used to attack some machine world away;

    I think I will try to make a pass rule with that address, log it and hope it happen again.

    thanks again.



  • ok guys, I've found the attacked IP on my logs, but it didn't tell me which internal IP originated the connection:

    Oct 27 09:48:21 WAN2 74.208.164.166:80 172.16.2.2:45072 TCP:RA

    how can I trace this connection to my lan client??

    thanks



  • can you see mac-address for that from the arp table?
    After that you can follow switches where that mac resides(if you have managed switches)



  • no I can't see it's mac from the arp table. Is there any software in repository that I can install and that may give more info about firewall logs? thanks!



  • Combine info with a more deep package analiser like snort.


  • Rebel Alliance Global Moderator

    I would put a pass or even deny rule on your lan side to that IP in question and log it, and send your logs to syslog server so you have full logs.

    This way you should see the local lan IP that is sending traffic to the outside public IP.



  • thanks Marcelo and John; actually I've installed squid in order to have this lan logs and have been found some log entries that correlates that IP with an internal IP; but both your ideas are interesting and I think I must to implement both!

    thanks again



  • @srs:

    no I can't see it's mac from the arp table. Is there any software in repository that I can install and that may give more info about firewall logs? thanks!

    Just for record: an arp inverse lookup should do the trick!
    The command should be

    arp -a IP-address
    

Locked