How I analyzed my firewall log file

Since quite some time now, I have been noticing a terrible lack of performance on my Macbook Pro. So yesterday I decided to enable a full firewall, thinking that maybe there was some intruder on my machine. Much to my surprise the logfile showed continuous attack to access some ports, especially 46585 (gtkam?). Hence I decided to notify the providers associated to the IPs that were recorded responsible for the attacks. Since it is a rather long and cumbersome process, I will now here give the few command lines that help a bit in selecting which IPs to investigate further.

I am assuming the format of the logfile is the one produced on the Mac OSX, namely an entry line looks like:

Jul 16 17:16:49 supersoulfighter Firewall[264]: Deny vnetd connecting from 212.181.162.139:58547 to port 42048 proto=6
Jul 16 17:48:46 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 129.16.225.20:34559

I also decided to only address the Stealth Mode connection attempt, hence I select only those lines out of the logfile with a simple grep:

grep Stealth appfirewall.log > stealth.text

Next you may sort the file so all the same IPs are bundled together:

sort --key=10.1 stealth.text  > stealth_sorted.text

If you want to just see the IPs displayed once, you run

uniq -c -s 110 stealth_sorted.text > uniq_stealth_sorted.text

where the number of occurrences of the same IPs appears as the first digit in each line, if you sort it, you get the rankings of the attackers. In my case, from this morning's log, those with highest hits:

  31 Jul 16 18:33:09 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 85.210.46.84:4930
  37 Jul 16 17:09:12 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 129.16.225.20:34559
  40 Jul 16 17:09:54 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 89.27.96.242:3346
  41 Jul 16 17:16:34 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 37.14.115.113:11166
  42 Jul 16 17:09:25 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 82.181.65.254:20585
  42 Jul 16 17:15:01 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 128.214.170.37:34661
  43 Jul 16 17:12:17 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 83.34.225.54:13826
  44 Jul 16 17:15:13 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 88.71.231.170:2657
  45 Jul 16 18:03:42 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:49262 from 192.168.1.1:53
  51 Jul 16 17:15:40 supersoulfighter Firewall[264]: Stealth Mode connection attempt to UDP 192.168.1.70:46585 from 93.222.195.3:63810

My next step would be to run whois on those IPs and notify the abuse e-mail contact of misbehavior, hoping that measures are taken to prevent misusage of the Net.

The views expressed in this blog are personal and do not in any way reflect the view of the MOLTO Consortium