Log Macro Usage

To use a log macro, you expand its value and cause that expansion to be presented as a filter expression to a log get* or logdump command.

To introduce examples of log macro expansion using logmacro as a subcommand to ssadm, the first example shows the defined values to two macros as rendered by ssadm logmacro print:

admin% ssadm -r Screen logmacro print
NAME="probed-ports" ENABLED VALUE="icmp or dstport telnet or dstport 
 rlogin or dstport rsh or dstport ftp or srcport X11 or port adminweb"
admin% ssadm -r Screen logmacro print sys=
SYS="Screen" NAME="suspicious" ENABLED VALUE="logwhy 256 logiface le0 
( not from trusted or to hidden ) macro probed-ports"

Two macros are defined. The first macro, probed-ports, is Screen-nonspecific and ostensibly defines services that are thought to be targets for initial probes leading to security attacks. The second macro, suspicious, is specific to a Screen and contains a more complete macro for filtering potential probes. It restricts itself to:

• Packets logged because no rule was found or that had source addresses that were illegal on their interface (logwhy 256)

• Packets arriving on a specific (presumably outside) interface (logiface le0)

• Packets originating from untrusted hosts or targeted at hosts that are unpublished (not from trusted or to hidden)

• Restrictions imposed by the macro "probed-ports"

  ---

  Tip -

  The verb names,flat produces a list of names that are available for macro expansion on a particular Screen. For example, while logged into a Screen, type:

  admin% ssadm -r Screen logmacro names,flat "probed-ports" "suspicious"

  This hides Screen-specific issues of macros and lists macro names as they are used by embedded macro references.

  ---

Assume that the following definitions have been created and activated for registry items:

edit> list Address
"abraham" HOST 1.2.3.4
"hidden" RANGE 129.9.9..0 129.9.9.255
"john" HOST 2.3.4.5
"martin" HOST 3.4.5.6
"trusted" GROUP { "abraham" "martin" "john" } { }
edit> list Service
"rlogin" SIMPLE FORWARD "tcp" PORT 513
"rsh" SIMPLE FORWARD "tcp" PORT 514
"telnet" SIMPLE FORWARD "tcp" PORT 23
"X11" SIMPLE FORWARD "tcp" PORT 6000-6063

To expand a given macro, while logged into a Screen:

admin% ssadm -r Screen logmacro expand suspicious
logwhy 256 logiface le0 ( not ( from
1.2.3.4 or from 2.3.4.5 or from 3.4.5.6 ) or to
129.9.9.0..129.9.9.255 )
( icmp or dstport 23 or dstport 513 or dstport 514 or ( srcport
20 or dstport 21 ) or srcport 6000..6063 or port adminweb )

This usage illustrates various expansion and resolution operations performed by expand. The clause from trusted has been replaced by the registry values for the GROUP trusted. The clause to hidden has also been resolved to a registry RANGE, using the logdump syntax for IP address ranges a.b.c.d..e.f.g.h.

The embedded macro reference macro probed-ports has been expanded. The clauses that can be resolved from the registry (dstport telnet, dstport rlogin, dstport rsh, dstport ftp, and srcport X11) have been expanded using registry values. Clauses that were not found in the registry (icmp and port adminweb) were left to be resolved by logdump itself. The dstport ftp clause further illustrates some special processing employed for that protocol, and the expansion of the srcport X11 clause shows the logdump syntax for port ranges x..y.

Resolution of SunScreen registry items performed by expand is made using those of the currently activated policy and for the Screen whereon the expand operation is executed.

The logmacro expand mechanism has been designed to facilitate simple command-line usage in conjunction with the other log processing facilities of SunScreen.

To employ the above macro to retrieve the suspicious items in the current log on the Screen and display them, while logged into the Screen:

admin% ssadm -r Screen log get `ssadm -r Screen logmacro expand suspicious` |  
ssadm logdump -v -i-