Posted: Fri Mar 24, 2023 16:55 Post subject: available log levels changes in security logging
Noticing differences in what is being logged in /Log_incoming.asp
hardware: WRT3200ACM
DD-WRT v3.0-r51440 (Behavior changed shortly after this version)
DD-WRT v3.0-r52095 (current version)
On the security tab (/Firewall.asp), the bottom section for log management changed recently. Before the options for log level were Low/Med/High. These corresponded to nvram values for log_level as such: 0:low, 1:med, 2:high.
At some point the log level settings changed such that values in the gut now correspond to the following log_levels: 0:disabled, 1:med, 2:high.
Before setting used was: log_level=0, corresponding to a setting of "low" in the GUI. In this configuration brute force attempts were caught, logged, and dropped accordingly. Now running the latest version a setting of log_level=0 does in fact appear to do nothing. The problems is with log_level=1, corresponding to Medium logging. When this setting is in use, it appears to be logging some traffic as being dropped much more than dos attacks are actually occurring, or other traffic is erroneously being written to the /Log_incoming.asp as if they were attacks. The traffic now being reported here look like out of sequence packets or those which timed-out versus actual dos attacks.
Can you clarify exactly what is being logged in the current versions with regard to disable/med/high log levels? Also what happened to what was formerly "low" logging?
What was formerly log_level=0 (low) showed traffic which was actually dropped due to malicious activity. What is now log_level=1 (medium), shows a bunch of traffic which isn't malicious, and appears to be timed-out, out of sequence (possibly due to retries) packets, or removed from state table (guessing).
The reason why this matters is I was using information for malicious traffic to create permanent bans for those IPs. With the way 'medium' logging now works, there is tons of traffic there which isn't actually bad traffic per se.
Attached is a graph showing the rate of 'bad traffic' when the filter was set to 'low' and then switched to 'med', and back to 'low'. Why was 'low' removed... it showed valuable information which is no longer available?
Last edited by inetquestion on Mon Mar 27, 2023 22:08; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12499 Location: Netherlands
Posted: Sun Mar 26, 2023 6:15 Post subject:
Yes I kow, there was a bug in the code logic and two options were discussed one elaborate one and a simple one, having ockham's razor in mind, the simpler solution was chosen.
The traffic you see could be from the newly instated INVALID rules.
You can manually delete these rules with:
iptables -D FORWARD -o $(get_wanface) -p tcp ! -s $(nvram get wan_ipaddr) -m state --state INVALID -j DROP
iptables -D INPUT -m state --state INVALID -j DROP
ip6tables -D INPUT -m conntrack --ctstate INVALID -j DROP
Is the former and/or current condition documented as to what its supposed to be doing? Reason for asking, if this is currently built on shifting sand, its unlikely I'll stick with the platform or will be stuck on an old version until things settle in this area. Seems like an important change to make with little public discussion as to what the changes were intended to do, coupled with the ability for others to test/verify.
I'm not an iptables expert, so leveraging this platform seemed like a good idea at the time. Shocked with this recent change, as I'm struggling to understand how users would benefit from the change. Sure its more complicated than I'm aware...
Joined: 06 Jun 2006 Posts: 7445 Location: Dresden, Germany
Posted: Fri Mar 31, 2023 19:41 Post subject: Re: available log levels changes in security logging
inetquestion wrote:
Noticing differences in what is being logged in /Log_incoming.asp
hardware: WRT3200ACM
DD-WRT v3.0-r51440 (Behavior changed shortly after this version)
DD-WRT v3.0-r52095 (current version)
On the security tab (/Firewall.asp), the bottom section for log management changed recently. Before the options for log level were Low/Med/High. These corresponded to nvram values for log_level as such: 0:low, 1:med, 2:high.
At some point the log level settings changed such that values in the gut now correspond to the following log_levels: 0:disabled, 1:med, 2:high.
Before setting used was: log_level=0, corresponding to a setting of "low" in the GUI. In this configuration brute force attempts were caught, logged, and dropped accordingly. Now running the latest version a setting of log_level=0 does in fact appear to do nothing. The problems is with log_level=1, corresponding to Medium logging. When this setting is in use, it appears to be logging some traffic as being dropped much more than dos attacks are actually occurring, or other traffic is erroneously being written to the /Log_incoming.asp as if they were attacks. The traffic now being reported here look like out of sequence packets or those which timed-out versus actual dos attacks.
Can you clarify exactly what is being logged in the current versions with regard to disable/med/high log levels? Also what happened to what was formerly "low" logging?
low / 0 means off. this was always the cause. we just corrected the behaviour to not confuse people anymore _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Posted: Sun Apr 02, 2023 13:48 Post subject: Re: available log levels changes in security logging
[quote="BrainSlayer"]
low / 0 means off. this was always the cause. we just corrected the behaviour to not confuse people anymore[/quote]
In removing what was level:0 where data was being logged, the data which used to show up here was valuable by itself. That data is either not available at all or has been munged along with other data which taints the result. If wanting a level which actually does nothing, get that. The current incarnation lost something useful. Would it be possible to have 4 levels?
