Firewall Log Messages
Firewall Log Format
The AP firewall will log a lot of information about a firewall event. A typical log entry may look like this:
Example:
Mar 24 14:11:11 host kernel: DROP_AWP_INPUT IN=eth0 OUT= MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 SRC=1.2.3.4 DST=5.6.7.8 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12197 CE DF MF PROTO=TCP SPT=3619 DPT=110 SEQ=1917628740 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Mar 24 14:11:11 - Date/Time Stamp
host - The Hostname of the system where this error occured (your server).
kernel - Application Name (firewall rules are always kernel)
DROP_AP_INPUT - Firewall Rule Name
IN=eth0 - Incoming Interface (This is only populated when the packet is coming into the server)
OUT= - Outgoing Interface (This is only populated when the packet is going out of the server)
MAC=00:50:56:bd:76:78:00:a0:c8:26:33:94:08:00 - The MAC Address of the last hop upstream hardware that send the packet (usually this will be your upstream router)
SRC=1.2.3.4 - Source IP (The IP address for the system that sent this packet)
DST=5.6.7.8 - Destination IP (The IP address the source system requested this packet be sent to)
LEN=48 - Total length of IP packet in bytes
TOS=0x00 - Type Of Service field. This is rarely used, and is replaced on most systems by DS and ECN.
PREC=0x00 - The “Precedence” Type of Service field. This is rarely used, and is replaced on most systems by DS and ECN.
TTL=115 - Remaining “Time To Live” for this packet in “hops”
ID=12197 - Unique ID for this IP datagram. If this is a fragment, all fragments share the same ID.
CE - ECN Flag, Congestion Experienced (optional)
DF - Dont Fragment Flag (optional)
MF - More Fragments to follow (optional)
PROTO=TCP - Protocol (For example, TCP or UDP)
SPT=3619 - Source Port (The port the packet came from)
DPT=110 - Destination Port (The port the source IP requested the packet go to)
SEQ=1917628740 - Receive Sequence number
ACK=0 - Same as the Receive Sequence number above, but for the other end of the TCP connection. Normally only seen on the reply packet.
WINDOW=65535 - The TCP Receive Window size.
RES=0x00 - Reserved bits. This field is used, optionally, for things like ECNE and CWR.
SYN URGP=0 - Packet Flags.
OPT (020405B401010402) - TCP Options (optional)
Auditing Rules
These rules do not block anything, they just log allowed traffic or special events.
AP_WHITELIST
This logs when an IP on the firewall whitelist has been allowed to connect to the system. It does not block or shun anything.
AP only produces these log messages when the following options are enabled:
FW_WHITELIST
FW_WHITELIST_LOG
Note
FW_WHITELIST is not enabled by default. This can only occur if you enable the option.
AP_KNOCK
This logs when a potential knock packet comes in when using the advanced portknocking system. It does not block or shun anything.
AP_KNOCK_IN
This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.
AP_SKNOCK
This logs when a potential knock packet comes in when using the simply portknocking system. It does not block or shun anything.
AP_SKNOCK_IN
This logs the IP of the source of a client when its connects to a portknock protected port. It does not block or shun anything.
Blocking/Dropping Rules
AP_AR_DROP
These rules are labeled in netfilter with “AP-ACTIVE-RESPONSE” as the label.
AP has blocked packets from an IP that was shunned by AP due to a rule violation. By default, these shuns are temporary.
You can manually remove a shun by following the process outlined in using Atomic Endpoint Defender .
This capability in AP is enabled by default, and is controlled by this setting: OSSEC_ACTIVE_RESPONSE
Shuns are, by default, automatically removed based on this setting: OSSEC_SHUN_ENABLE_TIMEOUT
The timeout to automatically remove shuns is set by this setting: OSSEC_SHUN_TIME
DROP_AP: HEARTBEAT
AP has detected a TLS heartbeat request. This extension to TLS is what caused the HeartBleed vulnerability. This likely means a Heartbleed attack is underway, and AP has blocked it.
DROP_AP: DNS_DDOS
AP has detected an attempt to use your DNS server as a possible DNS DDOS amplifier. This likely means someoneis trying to use your DNS server to launch a DDOS attack against another host, and AP has blocked this.
DROP_AP: NTP_DDOS
AP has detected an attempt to use your NTP server as a possible NTP DDOS amplifier. This likely means someoneis trying to use yourNTP server to launch a DDOS attack against another host, and AP has blocked this.
DROP_AP_TORTIX
And IP address has been blocked from connecting the AP web console based on the IP addresses you have configured to allow access. AP does not block any IPs by default to the AP web console.
You can change the IPs you have configured AP to allow into the AP web console by editing this file:
/etc/awp/firewall/tortixd-access-list
Then run this command as root:
service awp-firewall restart
AP_SMTP_OUT
AP has blocked a user that you have not authorized from sending SMTP traffic outbound. This feature does not prevent users from sending mail out through the systems mail server. It simply prevents them from bypassing the mail server. This feature helps to prevent spam bots from operating on the system.
AP does not block any users from sending SMTP traffic outbound by default.
If you wish to allow a user to bypass you local mail server, please change this setting: FW_OUTPUT_MTA
AP_BLACKLIST_BLOCK
AP has blocked traffic from an IP that you placed on the AP blacklist. This blacklist is manually created by the user, and AP will not add IPs to this blacklist. The blacklist is empty by default.
Blacklists are directional, that is when an IP is blacklisted all traffic to, and from the the IP is blocked. (SRC and DST)
AP_GEO_BLOCK
AP has blocked traffic from a country that you have configured AP to block via APs geoblocking. This is manually configured by the user, and AP will not automatically add countries to the geoblocking lists. No countries are blocked by default.
DROP_AP_U_RATE
The Ratelimit you configured for this UDP port has been exceeded. AP does not set any rate limits by default.
DROP_AP_T_RATE
The Ratelimit you configured for this TCP port has been exceeded. AP does not set any rate limits by default.
DROP_AP_INPUT
AP has dropped an inbound packet because you have configured it to do this. AP does not block connections to any ports by default.
AP_OUTPUT
AP has dropped a packet because you have configured it to do this. AP does not block outbound connections to any ports by default.
AP_TOR_BLOCK
AP has blocked an IP that is a TOR exit node because you have configured AP to block tor exit nodes. AP does not block this by default.
AP_AUTOSHUN_BLOCK
AP has blocked an IP that is on the autoshun RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_CIARMY_BLOCK
AP has blocked an IP that is on the ciarmy RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_DSHIELD_BLOCK
AP has blocked an IP that is on the dshield RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_ELASSO_BLOCK
AP has blocked an IP that is on the spamhaus elasso RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_LASSO_BLOCK
AP has blocked an IP that is on the spamhaus lasso RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_EMERGING_THREATS_BLOCK
AP has blocked an IP that is on the emerging threats RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_OPENBL_BLOCK
AP has blocked an IP that is on the openbl RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_OPENPROXIES_BLOCK
AP has blocked an IP that is on the openproxies RBL list because you have configured AP to block IPs from this RBL. AP does not block this by default.
AP_FRAGMENT
AP has blocked a fragmented packet. AP, when configured properly, has a stateful firewall that will assemble fragmented packets. If this rule is triggered this means someone has either disabled stateful inspection for user defined rules, or the system is not using the AP kernel and a third party kernel does not support stateful firewalls.
DROP_AP_TOOSMALL
AP has blocked a packet that is too small to be valid.
AP_INVALID_INPUT
AP had dropped an incoming invalid packet.
AP_INVALID_FWD
AP had dropped an invalid packet in the FORWARD chain.
AP_INVALID_OUTPUT
AP had dropped an outgoing invalid packet.
DROP_AP_ADVSCAN
AP has detected and blocked a portscan using the advanced portscan detector in AP.
DROP_AP_PORTSCAN
AP has detected and blocked a portscan.
DROP_AP_GSCAN
AP has detected a potential banner grab portscan.
DROP_AP_CNSCAN
AP has detected and blocked a connect() portscan.
DROP_AP_SSCAN
AP has detected and blocked a potential SYN portscan.
DROP_AP_STSCAN
AP has detected and blocked a stealth portscan.
DROP_AP_MSS
AP has detected a packet that is too small to be valid.