Using iptables to log http request to a file?

Hi all,

Can anyone give me pointer to how to log http requset to a file by
iptables and ulogd?
Is there any ulogd plugin can parse the traffic and just log the needed
HTTP request information£¨eg. some http header field£©?
Some sample source code will be great!

Thanks in advance!

Xiong

On Friday 18 August 2006 13:13 (E-Mail Removed) wrote:

> Hi all,
>
> Can anyone give me pointer to how to log http requset to a file by
> iptables and ulogd?
> Is there any ulogd plugin can parse the traffic and just log the
> needed HTTP request information£¨eg. some http header field£©?
> Some sample source code will be great!
>
> Thanks in advance!
>
> Xiong
>
>

Without ULOG:
To match some string
iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
ACCEPT

or better use l7-filter to match some regex:
put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
httpmypatern
some_rexexp.*

and use
iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern -j
ACCEPT

Thank Viktar,

By using '-j ACCEPT', all the packets matching the pattern will be
accept? or just the packets matched will be accepted?
For example, a http request composed of multiple lines, usually 'GET
....' followed by other HTTP header lines. In this case, will all the
http connection traffic be accepted?
And, which is the better way to parse the matched data and write to log
in a user defined format?
Should I use ulogd plugin? Is there any sample show me how to write a
custom log?

Thank again,
Xiong

Viktar Sakovich2038490794 写�：

> On Friday 18 August 2006 13:13 (E-Mail Removed) wrote:
>
> > Hi all,
> >
> > Can anyone give me pointer to how to log http requset to a file by
> > iptables and ulogd?
> > Is there any ulogd plugin can parse the traffic and just log the
> > needed HTTP request information（eg. some http header field）?
> > Some sample source code will be great!
> >
> > Thanks in advance!
> >
> > Xiong
> >
> >
>
> Without ULOG:
> To match some string
> iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
> ACCEPT
>
> or better use l7-filter to match some regex:
> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
> httpmypatern
> some_rexexp.*
>
> and use
> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern -j
> ACCEPT

On Saturday 19 August 2006 06:12 (E-Mail Removed) wrote:

> Thank Viktar,
>
> By using '-j ACCEPT', all the packets matching the pattern will be
> accept? or just the packets matched will be accepted?
> For example, a http request composed of multiple lines, usually 'GET
> ...' followed by other HTTP header lines. In this case, will all the
> http connection traffic be accepted?

In case of -m string only matching packets accepted, but in case of
l7-filter all packets for conection (l7-filter use conection tracking
to match next packets of connection) accepted.

If you want to match for a connection with -m string, do following:
iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
CONNMARK --set-mark 0x1
iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT


> And, which is the better way to parse the matched data and write to
> log in a user defined format?
> Should I use ulogd plugin? Is there any sample show me how to write a
> custom log?
>
> Thank again,
> Xiong
>
> Viktar Sakovich2038490794 写�：
>
>> On Friday 18 August 2006 13:13 (E-Mail Removed) wrote:
>>
>> > Hi all,
>> >
>> > Can anyone give me pointer to how to log http requset to a file by
>> > iptables and ulogd?
>> > Is there any ulogd plugin can parse the traffic and just log the
>> > needed HTTP request information（eg. some http header field）?
>> > Some sample source code will be great!
>> >
>> > Thanks in advance!
>> >
>> > Xiong
>> >
>> >
>>
>> Without ULOG:
>> To match some string
>> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
>> String"-j ACCEPT
>>
>> or better use l7-filter to match some regex:
>> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
>> httpmypatern
>> some_rexexp.*
>>
>> and use
>> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern
>> -j ACCEPT
>
>

So, how to log just the first few, say 100, packets?

thx

Viktar Sakovich2038490794 wrote:
> On Saturday 19 August 2006 06:12 (E-Mail Removed) wrote:
>
> > Thank Viktar,
> >
> > By using '-j ACCEPT', all the packets matching the pattern will be
> > accept? or just the packets matched will be accepted?
> > For example, a http request composed of multiple lines, usually 'GET
> > ...' followed by other HTTP header lines. In this case, will all the
> > http connection traffic be accepted?
>
> In case of -m string only matching packets accepted, but in case of
> l7-filter all packets for conection (l7-filter use conection tracking
> to match next packets of connection) accepted.
>
> If you want to match for a connection with -m string, do following:
> iptables -A INPUT -p tcp --dport 80 -m string --string "Some String"-j
> CONNMARK --set-mark 0x1
> iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT
>
>
> > And, which is the better way to parse the matched data and write to
> > log in a user defined format?
> > Should I use ulogd plugin? Is there any sample show me how to write a
> > custom log?
> >
> > Thank again,
> > Xiong
> >
> > Viktar Sakovich2038490794 写�：
> >
> >> On Friday 18 August 2006 13:13 (E-Mail Removed) wrote:
> >>
> >> > Hi all,
> >> >
> >> > Can anyone give me pointer to how to log http requset to a file by
> >> > iptables and ulogd?
> >> > Is there any ulogd plugin can parse the traffic and just log the
> >> > needed HTTP request information（eg. some http header field）?
> >> > Some sample source code will be great!
> >> >
> >> > Thanks in advance!
> >> >
> >> > Xiong
> >> >
> >> >
> >>
> >> Without ULOG:
> >> To match some string
> >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
> >> String"-j ACCEPT
> >>
> >> or better use l7-filter to match some regex:
> >> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
> >> httpmypatern
> >> some_rexexp.*
> >>
> >> and use
> >> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto httpmypatern
> >> -j ACCEPT
> >
> >

On Sunday 20 August 2006 16:46 imx wrote:

> So, how to log just the first few, say 100, packets?
>
> thx

Use connbytes, i. e. something like this:

iptables -A INPUT -p tcp --dport 80 -m connbytes --connbytes 0:100
--connbytes-dir both --connbytes-mode packets -j ACCEPT

>
> Viktar Sakovich2038490794 wrote:
>> On Saturday 19 August 2006 06:12 (E-Mail Removed) wrote:
>>
>> > Thank Viktar,
>> >
>> > By using '-j ACCEPT', all the packets matching the pattern will be
>> > accept? or just the packets matched will be accepted?
>> > For example, a http request composed of multiple lines, usually
>> > 'GET ...' followed by other HTTP header lines. In this case, will
>> > all the http connection traffic be accepted?
>>
>> In case of -m string only matching packets accepted, but in case of
>> l7-filter all packets for conection (l7-filter use conection tracking
>> to match next packets of connection) accepted.
>>
>> If you want to match for a connection with -m string, do following:
>> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
>> String"-j CONNMARK --set-mark 0x1
>> iptables -A INPUT -m connmark --mark 0x1 -j ACCEPT
>>
>>
>> > And, which is the better way to parse the matched data and write to
>> > log in a user defined format?
>> > Should I use ulogd plugin? Is there any sample show me how to write
>> > a custom log?
>> >
>> > Thank again,
>> > Xiong
>> >
>> > Viktar Sakovich2038490794 写�：
>> >
>> >> On Friday 18 August 2006 13:13 (E-Mail Removed) wrote:
>> >>
>> >> > Hi all,
>> >> >
>> >> > Can anyone give me pointer to how to log http requset to a file
>> >> > by iptables and ulogd?
>> >> > Is there any ulogd plugin can parse the traffic and just log the
>> >> > needed HTTP request information（eg. some http header field）?
>> >> > Some sample source code will be great!
>> >> >
>> >> > Thanks in advance!
>> >> >
>> >> > Xiong
>> >> >
>> >> >
>> >>
>> >> Without ULOG:
>> >> To match some string
>> >> iptables -A INPUT -p tcp --dport 80 -m string --string "Some
>> >> String"-j ACCEPT
>> >>
>> >> or better use l7-filter to match some regex:
>> >> put in /etc/l7-protocols/extra/ httpmypatern.pat with content:
>> >> httpmypatern
>> >> some_rexexp.*
>> >>
>> >> and use
>> >> iptables -A INPUT -p tcp --dport 80 -m layer7 --l7proto
>> >> httpmypatern -j ACCEPT
>> >
>> >
>
>