glutton icon indicating copy to clipboard operation
glutton copied to clipboard
verified publisher icon mushorg

Fix error logging to be less noisy for port scans

Open david-watson opened this issue 8 years ago • 10 comments

Deployed latest glutton on a Digital Ocean droplet (no docker) and ran basic nmap scan (all TCP ports). Would expect to see the results as all ports open, but some ports did not respond and many "use of closed network connection" errors were logged:

[email protected]:~$ nmap g.g.g.g

Starting Nmap 6.40 ( http://nmap.org ) at 2017-11-17 04:46 GMT
Nmap scan report for g.g.g.g
Host is up (0.18s latency).
PORT      STATE    SERVICE
1/tcp     open     tcpmux
3/tcp     open     compressnet
4/tcp     open     unknown
6/tcp     open     unknown
7/tcp     open     echo
9/tcp     open     discard
13/tcp    open     daytime
17/tcp    open     qotd
19/tcp    open     chargen
20/tcp    open     ftp-data
21/tcp    open     ftp
22/tcp    open     ssh
23/tcp    open     telnet
24/tcp    open     priv-mail
25/tcp    open     smtp
26/tcp    open     rsftp
30/tcp    open     unknown
...

Logs:

2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:40613: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:50191: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:56103: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:56748: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:35219: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:37463: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:50858: use of closed network connection
2017/11/17 04:47:17 ERROR user.tcp: close tcp g.g.g.g:5000->n.n.n.n:41272: use of closed network connection

david-watson avatar Nov 17 '17 05:11 david-watson

Did we confirm that you will get all ports when specifying the range?

glaslos avatar Nov 19 '17 04:11 glaslos

might be worth making a system test via Docker

kung-foo avatar Nov 19 '17 11:11 kung-foo

Default nmap scans top 1000 ports, so no ports missed, but a lot of errors in the logs

david-watson avatar Nov 19 '17 20:11 david-watson

probably comes from: https://github.com/kung-foo/freki/blob/master/userconnhandler_tcp.go#L45

kung-foo avatar Nov 21 '17 11:11 kung-foo

Updated title to reflect feedback

glaslos avatar Nov 23 '17 10:11 glaslos

I have a comparable situation which I think might be related to new connections / drops in normal operation (no portscan). For every connection attempt I am getting a ...

{"level":"info","ts":1523885848.9937115,"caller":"glutton/system.go:34","msg":"[system  ] running Go routines: 16 and open files: 9","sensorID":"ce2600c6-62dd-47e8-b4cd-507e83081847"}

... even if debug is set to false.

Is there an easy way to tune that down or just log [log.tcp ]-related events?

t3chn0m4g3 avatar Apr 16 '18 13:04 t3chn0m4g3

You want to change this line: https://github.com/mushorg/glutton/blob/master/system.go#L34

glaslos avatar Apr 16 '18 15:04 glaslos

@glaslos Thank you, just got rid of ...

			case <-ticker.C:
				openFiles := countOpenFiles()
				runningRoutines := countRunningRoutines()
				g.logger.Info(fmt.Sprintf("[system  ] running Go routines: %d and open files: %d",
					openFiles, runningRoutines))

... and the log file is finally quiet when nothing is going on.

t3chn0m4g3 avatar May 18 '18 21:05 t3chn0m4g3

You could also change g.logger.Info to g.logger.Debug and set Gluttons log level to info.

glaslos avatar May 18 '18 21:05 glaslos