Log Macro Usage

A log macro is used by expanding its value and by causing that expansion to be presented as a filter expression to a log get* or logdump command.

To introduce examples of log macro expansion using logmacro as a subcommand to ssadm, the first example shows the defined values to two macros as rendered by ssadm logmacro print:

admin% ssadm -r Screen logmacro print
NAME="probed-ports" ENABLED VALUE="icmp
or dstport telnet or dstport rlogin or dstport rsh or dstport ftp
or srcport X11 or port adminweb"
admin% ssadm -r Screen logmacro print sys=
SYS="Screen" NAME="suspicious" ENABLED VALUE="logwhy
256 logiface le0 ( not from trusted or to hidden )
macro probed-ports"

The examples above show two macros defined. The first, probed-ports is Screen-nonspecific and ostensibly defines services that are thought to be targets for initial probes leading to security attacks. The second, suspicious, is specific to Screen and contains a more complete macro for filtering potential probes. It restricts itself to:

• Packets logged because no rule was found

• Packets that had source addresses that were illegal on their interface (logwhy 256)

• Packets arriving on a specific (presumably outside) interface (logiface le0)

• Packets originating from untrusted hosts or targeted at hosts that are unpublished (not from trusted or to hidden)

• Restrictions imposed by the macro "probed-ports".

  ---

  Tip -

  As an aside, the verb names,flat produces a list of names that are available for macro expansion on a particular Screen. For example, while logged in to Screen, type:

  admin% ssadm -r Screen logmacro names,flat "probed-ports" "suspicious"

  ---

This hides Screen-specific issues of macros and lists macro names as they are used by embedded macro references.

Assume that the following definitions have been created and activated for registry items:

edit> list Address
"abraham" HOST 1.2.3.4
"hidden" RANGE 129.9.9..0 129.9.9.255
"john" HOST 2.3.4.5
"martin" HOST 3.4.5.6
"trusted" GROUP { "abraham" "martin"
"john" } { }
edit> list Service
"rlogin" SIMPLE FORWARD "tcp" PORT 513
"rsh" SIMPLE FORWARD "tcp" PORT 514
"telnet" SIMPLE FORWARD "tcp" PORT 23
"X11" SIMPLE FORWARD "tcp" PORT 6000-6063

The following is an example of what you would type to expand the given macro, while logged in to Screen:

admin% ssadm -r Screen logmacro expand suspicious
logwhy 256 logiface le0 ( not ( from
1.2.3.4 or from 2.3.4.5 or from 3.4.5.6 ) or to
129.9.9.0..129.9.9.255 )
( icmp or dstport 23 or dstport 513 or dstport 514 or ( srcport
20 or dstport 21 ) or srcport 6000..6063 or port adminweb )

This usage illustrates various expansion and resolution operations performed by expand. The clause from trusted has been replaced by the registry values for the GROUP trusted. The clause to hidden has also been resolved to a registry RANGE, using the logdump syntax for IP address ranges a.b.c.d..e.f.g.h.

The embedded macro reference macro probed-ports has been expanded. The clauses that can be resolved from the registry (dstport telnet, dstport rlogin, dstport rsh, dstport ftp, and srcport X11), have been expanded using registry values. Clauses that were not found in the registry (icmp and port adminweb) were left to be resolved by logdump itself. The dstport ftp clause further illustrates some special processing employed for that protocol, and the expansion of the srcport X11 clause shows the logdump syntax for port ranges x..y.

Resolution of SunScreen registry items performed by expand is made using those of the currently activated policy and for the Screen whereon the expand operation is executed.

The logmacro expand mechanism has been designed to facilitate simple command-line usage in conjunction with the other log processing facilities of SunScreen.

The following is an example of what you would type to employ the above macro to retrieve the suspicious items in the current log on the Screen and display them, while logged in to Screen:

admin% ssadm -r Screen log get `ssadm -r Screen logmacro expand suspicious` | ssadm logdump -V -i-