From c7d5ddfadc507d1cc9811229f938abe8c8004c0d Mon Sep 17 00:00:00 2001 From: laforge Date: Mon, 20 Nov 2000 11:43:22 +0000 Subject: huge reorganization for 0.9 - added hashtables everywhere - no more dynamic allocation for each packet - mysql output plugin - more keys in ulogd_BASE - moved libipulog into ulogd directory - introduced autoconf --- ulogd/doc/Makefile.in | 46 ++++++++++++ ulogd/doc/mysql.table | 55 ++++++++++++++ ulogd/doc/ulogd.sgml | 202 ++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 303 insertions(+) create mode 100644 ulogd/doc/Makefile.in create mode 100644 ulogd/doc/mysql.table create mode 100644 ulogd/doc/ulogd.sgml (limited to 'ulogd/doc') diff --git a/ulogd/doc/Makefile.in b/ulogd/doc/Makefile.in new file mode 100644 index 0000000..2c8fbca --- /dev/null +++ b/ulogd/doc/Makefile.in @@ -0,0 +1,46 @@ +#! /usr/bin/make + +LANG_DIRS:= + +HOWTOS:=$(wildcard *.sgml) +HOWTOS+=$(foreach dir, $(LANG_DIRS), $(wildcard $(dir)/*.sgml)) + +TXT_HOWTOS:=$(HOWTOS:.sgml=.txt) +HTML_HOWTOS:=$(HOWTOS:.sgml=.html) +PSA4_HOWTOS:=$(HOWTOS:.sgml=.a4.ps) +PSUS_HOWTOS:=$(HOWTOS:.sgml=.letter.ps) + +HOWTO_FLAGS_it/=-c latin -l it +HOWTO_FLAGS_fr/=-c latin -l fr + +interesting_howtos: $(TXT_HOWTOS) $(PSA4_HOWTOS) + +HOWTOs: $(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS) + +# Remake all if Makefile changes. +$(TXT_HOWTOS) $(HTML_HOWTOS) $(PSA4_HOWTOS) $(PSUS_HOWTOS): Makefile + +# Stupid sgml2* tools strip dirnames for output files. 8( +%.txt: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2txt --filter $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" + +%.a4.dvi: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=a4 --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.a4.dvi` + +%.a4.ps: %.a4.dvi + @dvips -t a4 -o $@ $< + +%.letter.dvi: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2latex --papersize=letter --output=dvi $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" && mv `basename $*.dvi` `basename $*.letter.dvi` + +%.letter.ps: %.letter.dvi + @dvips -t letter -o $@ $< + +%.html: %.sgml + @echo Making $@: && cd `dirname $<` && sgml2html $(HOWTO_FLAGS_$(dir $<)) `basename $<` 2>&1 | sed "s?^:\([0-9]*\):[^ ]* ?$<:\1:?" + +clean: + for d in . $(LANG_DIRS); do rm -f $$d/*.html $$d/*.ps $$d/*.aux $$d/*.log $$d/*.txt $$d/*~; done + +distclean: + rm -f Makefile diff --git a/ulogd/doc/mysql.table b/ulogd/doc/mysql.table new file mode 100644 index 0000000..bdfee71 --- /dev/null +++ b/ulogd/doc/mysql.table @@ -0,0 +1,55 @@ +CREATE TABLE ulog ( id INT UNSIGNED AUTO_INCREMENT UNIQUE, + + raw_mac VARCHAR(80), + + oob_time_sec INT UNSIGNED, + oob_time_usec INT UNSIGNED, + oob_prefix VARCHAR(32), + oob_mark INT UNSIGNED, + oob_in VARCHAR(32), + oob_out VARCHAR(32), + + ip_saddr INT UNSIGNED, + ip_daddr INT UNSIGNED, + ip_protocol TINYINT UNSIGNED, + ip_tos TINYINT UNSIGNED, + ip_ttl TINYINT UNSIGNED, + ip_totlen SMALLINT UNSIGNED, + ip_ihl TINYINT UNSIGNED, + ip_csum SMALLINT UNSIGNED, + ip_id SMALLINT UNSIGNED, + ip_fragoff SMALLINT UNSIGNED, + + tcp_sport SMALLINT UNSIGNED, + tcp_dport SMALLINT UNSIGNED, + tcp_seq INT UNSIGNED, + tcp_ackseq INT UNSIGNED, + tcp_window SMALLINT UNSIGNED, + tcp_urg TINYINT, + tcp_urgp SMALLINT UNSIGNED, + tcp_ack TINYINT, + tcp_psh TINYINT, + tcp_rst TINYINT, + tcp_syn TINYINT, + tcp_fin TINYINT, + + udp_sport SMALLINT UNSIGNED, + udp_dport SMALLINT UNSIGNED, + udp_len SMALLINT UNSIGNED, + + icmp_type TINYINT UNSIGNED, + icmp_code TINYINT UNSIGNED, + icmp_echoid SMALLINT UNSIGNED, + icmp_echoseq SMALLINT UNSIGNED, + icmp_gateway INT UNSIGNED, + icmp_fragmtu SMALLINT UNSIGNED, + + pwsniff_user VARCHAR(30), + pwsniff_pass VARCHAR(30), + + ahesp_spi INT UNSIGNED, + + KEY index_id (id) + ); + + diff --git a/ulogd/doc/ulogd.sgml b/ulogd/doc/ulogd.sgml new file mode 100644 index 0000000..26479f0 --- /dev/null +++ b/ulogd/doc/ulogd.sgml @@ -0,0 +1,202 @@ + + + + +
+ +ULOGD - the Userspace Logging Daemon +Harald Welte <laforge@gnumonks.org> +Revision $Revision$, $Date$ + + +This is the documentation for ulogd, the Userspace logging daemon. +ulogd makes use of the Linux 2.4 firewalling subsystem (netfilter) and the +ULOG target for netfilter. + + + + +DESIGN + +CONECEPT +

+I want to provide a flexible, almost universal logging daemon for my netfilter +ULOG target. It is not optimized in any way, the goal is to keep as simple as +possible. These are my thoughts about how the architecture which is most +capable of doing that: +

+ +Interpreter lugins +It should be possible to add plugins / runtime modules for new protocols, etc. +For example the standard logging daemon provides source-ip, dest-ip, +source-port, dest-port, etc. Logging for variuos other protocols (GRE, +IPsec, ...) may be implemented as modules. + +Output plugins +... describe how and where to put the information gained by logging plugins. +The easiest way is to build a line per packet and fprint it to a file. +Some people might want to log into a SQL database or want an output +conforming to the intrusion detection systems communication draft from the +IETF. + + + +DETAILS +

+The major clue is providing a framework which is as flexible as possible. +Nobody knows what strange network protocols are out there :) Flexibility +depends on the communication between the output of the logging plugins +and input of the output plugins. +

+Rusty advised me to use some kind of type-key-value triples, but I think +this is the total overkill and is too complicated for me to implement it +in a reasonable short period of time. (3 hours later) Hmm... Rusty finally +convinced me to use linked lists of type-key-value triples - and it wasn't +that difficult. +

+Another issue is, of course, performance. Up to ulogd 0.3, ulogd did several +linked list iterations and about 30 malloc() calls _per packet_. This +changed with the new 0.9 revision: + +Not a single dynamic allocation in the core during runtime. +Everything is pre-allocated at start of ulogd to provide the highest +possible throughput. +Hash tables in addition to the linked lists. Linked lists are only +traversed if we really want to access each element of the list. + + +INSTALLATION +

+Linux kernel +

+First you will need a recent 2.4.x kernel. At the time this document was +written, 2.4.0-test11-pre5 was the latest development version. Ulogd should +work with all kernels >= 2.4.0-test4. + +netfilter / iptables +

+In addition you need the latest iptables package, or even better: the latest +CVS snapshot. A description how to obtain this is provided on the netfilter +homepage . +

+ulogd is based on a special netfilter extension, called the netfilter ULOG +target module. You have to patch this extension into your kernel, as it +has not been integrated into the main kernel yet. To make this as easy +as possible, netfilter provides the 'patch-o-matic' subsystem. +

+To run patch-o-matic, just type + +make patch-o-matic + +in the userspace directory of netfilter CVS. + +ulogd +Recompiling the source +

+Download the ulogd package from and +untar it. +

+Run './configure' and 'make install'. +

+Copy the configuration file 'ulogd.conf' to /etc + +Using a precompiled package +

+I also provide redhat-6.2 and redhat-7.0 RPM's, available at and . +

+Just download the package and do the usual 'rpm -i <file>'. + +Configuration +netfilter +

+Just add rules using the ULOG target to your firewalling chain. A very basic +example: + +iptables -A FORWARD -j ULOG --ulog-nlgroup 32 --prefix foo + +

+Of course you can combine the ULOG target with the different netfilter match modules. +For a more detailed description, have a look at the netfilter HOWTO's, available on +the netfilter homepage. + +ulogd +

+All configurable parameters of ulogd are in the configfile '/etc/ulogd.conf' +

+The following configuration parameters are available: + +nlgroup +The netlink multicast group, which ulgogd should bind to. This is the same as given with the '--ulog-nlgroup' option to iptables. +logfile +The main logfile, where ulogd reports any errors, warnings and other unexpected +conditions. +loglevel +This specifies, how verbose the logging to logfile is. Currently defined loglevels are: 1=debug information, 3=informational messages, 5=noticable exceptional conditions, 7=error conditions, 8=fatal errors, program abort. +plugin +This option is followed by a filename of a ulogd plugin, which ulogd shold load upon initialization. This option may appear more than once. + + +Available plugins +

+ulogd comes with the following plugins: + +ulogd_BASE.so +Basic interpreter plugin for nfmark, timestamp, mac address, ip header, tcp header, udp header, icmp header, ah/esp header. +ulogd_PWSNIFF.so +Example interpreter plugin to log plaintext passwords as used with FTP and POP3. Don't blame me for writing this plugin! The protocols are inherently insecure, and there are a lot of other tools for sniffing passwords... it's just an example. +ulogd_OPRINT.so +A very simple output module, dumping all packets in the format + +===>PACKET BOUNDARY +key=value +key=value +... +===>PACKET BOUNDARY +... + +to a file. +

The module defines the following configuration directives: + +dumpfile +The filename where it should log to. The default is /var/log/ulogd.pktlog + + +ulogd_LOGEMU.so +An output module which tries to emulate the old syslog-based LOG targed as far as possible. Logging is done to a textfile instead of syslog, though. +

+The module defines the following configuration directives: + +syslogfileThe filename where it should log to. The default is /var/log/ulogd.syslogemu + + +ulogd_MYSQL.so +An output plugin for logging into a mysql database. This is only compiled if you have the mysql libraries installed, and the configure script was able to detect them. (FIXME: how to do this) +

+The plugin automagically inserts the data into the configured table; It connects to mysql during the startup phase of ulogd and obtains a list of the columns in the table. Then it tries to resolve the column names against keys of interpreter plugins. This way you can easly select which information you want to log - just by the layout of the table. +

+If, for example, your table contains a field called 'ip_saddr', ulogd will resolve this against the key 'ip.saddr' and put the ip address as 32bit unsigned integer into the table. +

+You may want to have a look at the file 'doc/mysql.table' as an example table including fields to log all keys from ulogd_BASE.so. Just delete the fields you are not interested in, and create the table. +

+The module defines the following configuration directives: + +mysqltable +Name of the table to which ulogd should log +mysqldb +Name of the mysql database +mysqlhost +Name of the mysql database host +mysqluser +Name of the mysql user +mysqlpass +Password for mysql + + + + QUESTIONS / COMMENTS +

+All comments / questions / ... are appreciated. +

+Just drop me a note to laforge@gnumonks.org + +

-- cgit v1.2.3