Logging - howto

nisse · November 8, 2007, 9:59pm

Hi,

Due to stupid Danish regulations I have to log all sites with more than 100 users - Please don’t ask me why, it just is so!

I need to log the following information about all connections:

Sender IP
Destination IP
Sender Port number
Destination Port number
Protocol used

All this seem rather possible, but I also need to log the time for the connections establishment (not a problem) AND the time the connection was destroyed. (First and last package in an internet session).
The first part is easy (SYN/ACK) with a mark on new connection, but how do i register the latter: Sessions last package (FIN)?

Any ideas are welcome!

Cheers

/Nisse

Chupaka · November 8, 2007, 10:25pm

use random() function in your logging software…

do you save NetFlow dump, or something else?

nisse · November 9, 2007, 5:15am

Hi Chupaka,

Using Random() function would give me a random match with a given probability how could that help me in identifying last package of a session (FIN) ?

I simply have to log the time of establishment and finish of any connection - no data!

Identifying the first (SYN/ACK establishing) package is fairly straightforward using the “new connection” option but the last package (FIN)?

Here is a nice schematic of the TCP connection state diagram on page 22: http://www.rfc-editor.org/rfc/rfc793.txt

/Nisse

changeip · November 9, 2007, 6:18am

trafficflow should give you all of this.

what about UDP ?

can you create a log rule that triggers on established connection and FIN packet and that’s all you need ?

nisse · November 9, 2007, 6:53am

Hi,

The solution I am seeking is based on the European law (EU) against Terrorism. It is a law that requires ALL ISP’s to identify ALL sessions made on their net with certain specifications. The rest of Europe (EU) is still considering how to implement this law but here in Denmark our imbacile politicians passed the law to be implemented 17/9-2007 - without any regards to the flaws and holes in this suggestion made by EU.

The law is implemented so any commercial ISP with more than 100 customers is to follow it - except public facilities as Libraries, schools, univercities and so on. Also - to my great surprice - our non-commercial community wireless networks are considered as commercial because: “We provide a service that COULD be provided on commercial basis”. Please do not ask further, we feel that the good old East German “Stasi” has invaded our lives, but law is law and …

BTW: Services like “Hotmail” - “Yahoo mail” and similar are exempt from this law - just to make the joke complete.

Thus, I need to be able to identify (by logging) the above mentioned data together with 2 timestamps:

Session start
Session finish
Regardless of protocols used!

Maybe the only solution is to set up a proxy but if I could use the MT’s that is there anyway I could make a nifty solution.

Therefore I need to be able to identify when a session (conn_track) ends and log this…

/Nisse

normis · November 9, 2007, 10:45am

have you looked at CALEA and Traffic Flow (compatible with netflow)? CALEA will store everything that passes the router.

BrianHiggins · November 10, 2007, 2:40pm

another alternative, and I’m not sure if it’s withen your buget, but Microsoft ISA server does this type of logging, and stores it in a native MSDE database, or optionally in a full SQL Server database.