| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
The Syslog ALG can perform checks on Syslog messages passing through the firewall with the ability to drop messages containing certain text. The ALG is not used with Syslog messages generated by the local firewall itself.
Syslog ALG Setup
The Syslog ALG is set up using the following steps:Create a new ServiceTCPUDP object that has the following settings:
DestinationPorts: 514
Type: UDP
AppProto: Syslog
Alternatively, the predefined syslog service could be used. This already has its AppProto property set to the value Syslog.
Create a new SyslogAlgProfile object that defines the type of processing to be performed by cOS Stream on the targeted Syslog traffic. The key properties of this object are described below.
Create a new IPRule object that allows the targeted Syslog traffic to flow. The Service property of the rule's filter must be set to the service created in the first step. The SyslogAlgProfile created in the previous step must also be assigned to the rule.
Key Properties of SyslogAlgProfile
A SyslogAlgProfile object has the following key properties:AppendTag
This option has the value Disabled by default. This can be changed to a value of RecvIfName in order to append the name of the receiving interface to the Syslog message.
The appended data will always be surrounded by double quotation marks and will have a preceding space character. For example:
"if3"
TagPrefix
If the AppendTag option is not disabled, the TagPrefix property can optionally be used to specify a prefix for the appended data. The prefix chosen should not be a string that might appear in any of the messages processed. For example, if the tag prefix is specified as Receiving_If= then the appended text would appear like the following:
Receiving_If="if3"
Note that the tag prefix also has a preceding space automatically inserted. The prefix specified has a length limit of 15 characters and cannot include spaces.
If this option is enabled then a comma separated list of prohibited keywords can be specified using the ProhibitedKeywords property. The list can contain up to four strings and each string cannot be be longer than 15 characters.
If a Syslog message contains any of these keywords then it is dropped. The option can help guard against spurious data being inserted into a message. By default, this option is disabled.
If the Syslog message payload exceeds this size in bytes, the message is dropped. The default value is 4096 bytes. This option is always enabled.
Any Return Traffic Will Close Traffic Flows
Syslog traffic is one directional and there should be no traffic going in the return direction. If the Syslog ALG detects any returning traffic, the traffic is dropped and the flow is closed.Example 10.7. Syslog ALG Setup
In this example, Syslog traffic flowing between interfaces if1 and if2 will be scanned using a SyslogAlgProfile.
The following is required for the Syslog messages processed:
Messages will be tagged with the receiving interface and the tag prefix text "Receiving_If=" will be added.
Syslog messages will be dropped if they contain either the keyword "test" or "debug".
The maximum allowed message size is to be 8192 bytes, otherwise the message is dropped.
Command-Line Interface
A. Create a new Service object for the Syslog traffic:
System:/> add Service ServiceTCPUDP my_syslog_service
Type=UDP
DestinationPorts=514
AppProto=SyslogB. Create a SyslogAlgProfile object:
System:/> add SyslogAlgProfile my_syslog_profile
AppendTag=RecvIfName
TagPrefix="Receiving_If="
DenyProhibitedKeywords=Yes
ProhibitedKeywords=test,debug
MaxSyslogLength=8192C. Create an IPRule for Syslog traffic:
System:/>cc RuleSet IPRuleSet mainSystem:/IPRuleSet/main>add IPRule Action=Allow Service=my_syslog_service SourceInterface=if1 SourceNetwork=if1_net DestinationInterface=if2 DestinationNetwork=if2_net SyslogAlgProfile=my_syslog_profile Name=my_syslog_rule
