Hi, imagine I just want to find out which IP addresses are using trying to hit my server network on port 80.
If my syslog server is limited in storage, I am wondering whether I could just log the first packet from a given source and target IP address. Then once I learn what IP address that is, there is no need for me to log that event again showing the same IP.
Is that action possible?
I attempted to use the command in red below, but I read the document and tested and that is not what I am looking for.
R2#
ip access-list extended WATCH_PROTOCOL permit tcp any any eq www log permit ip any any ip access-list log-update threshold 10 logging history size 500 logging 192.168.1.2 ! line con 0 line aux 0 line vty 0 4 ! ! end
If your requirement is to determine which hosts are contacting your server on port 80, there are a couple of ways to tackle it. Since http is tcp based, you could write an ACL that would only match packets with the TCP SYN flag (0x2) set. This would only log the first packet, but would log it for every subsequent connection from every source to every destination on the server segment.
A more elegant approach may be to use NetFlow to capture metadata about this traffic and use some of the reporting tools to pull out the information you need. Take another look at the links below:
Thank you. I forgot to mention that I also need to verify port 3389 (Microsoft RDP thing) and telnet.
So according to your suggestion, http syn = 0x2.
Does the ACL to verify first HTTP hit should look like the below?
I'd appreciate if you can point me to the syn code to do the same with 3389 and telnet. I guess it would take me few days to master Netflow and there is a time constraint at this time so I need to keep this as simple as possible for now.
R1(config-ext-nacl)#permit tcp any any syn eq 0x2 R1#show access-list Extended IP access list WATCH_PROTOCOL permit tcp any any eq 2 syn R1#
Update:I tried the syn = 0x2 ACL as shown above and in my test, if I hit the ACL multiple times from a given client, I continue to log multiple instances.
If you absolutely must use an ACL for http(tcp/80),telnet(tcp/23),rdp(tcp/3389, it would be written as follows:
access-list 100 permit tcp any any eq www syn log access-list 100 permit tcp any any eq telnet syn log access-list 100 permit tcp any any eq 3389 syn log
If you apply this outbound on the routed interface of your server VLAN, this will log the first packet (TCP SYN packet) of EVERY TCP connection for these three ports. This means that you will get duplicate entries if a client initiates more than one TCP session to the server, but this will log the least amount of data per connection using an ACL.
Also, it would behoove you to read the following document (well worth the 60-90 minute time investment):
Loading ... Do other stuffs. Seem slowly? As it doesn't do multi-requests, it's likely that web server IDS may not detect scanning. But it's for dictionary scanning only.
Imagine my clients are being routed via a SVI, int vlan 100 let's say. Such gateway between client and server vlan is a 4507.
At that point, do you know if I should apply this access-list as:
int vlan 100
ip access-group 100 in
(...)
I mean, I just want to make sure the SVI also accepts the concept of "inbound" or given that is a SVI I should apply both "inbound and outbound". I think I heard something about that in the past, but I can't remember.
Loading ... Do other stuffs. Seem slowly? As it doesn't do multi-requests, it's likely that web server IDS may not detect scanning. But it's for dictionary scanning only.
By the way, if you ever come across an article which explains why I should apply 'ip access-group out' to a SVI interface, please let me know. I can't remember why I should do 'ip access-group out' instead of 'in' when dealing with this SVI.
Here's a simple explanation. The ACL is matching the destination port for http, telnet, and rdp. So you can apply it many many places. Here are the two most common:
1) Closest to the source (the default gateway/SVI for clients) in an inbound direction
2) Closest to the destination (the default gateway/SVI for servers) in an outbound direction
I prefer number 2. I will leave the reason as an exercise for the reader.
Loading ... Do other stuffs. Seem slowly? As it doesn't do multi-requests, it's likely that web server IDS may not detect scanning. But it's for dictionary scanning only.
[Fuzz URL] Select Fuzz Type: [Help]
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
