Profile Applicability:
 • Level 1

Description:
 Logging suspicious network packets enables detection of potentially malicious activity such as spoofing, malformed packets, or unexpected protocol usage. Collecting these logs is crucial for effective incident response and network security monitoring.

Rationale:
 Logging suspicious packets provides visibility into anomalous traffic patterns that could indicate attacks or misconfigurations, helping to quickly identify and mitigate threats.

Impact:
 Pros:

  • Enhances detection of network-based attacks.

  • Supports forensic analysis and security investigations.

Cons:

  • May increase log volume; requires adequate log management and analysis tools.

Default Value:
 Logging of suspicious packets may not be enabled by default.

Pre-requisites:

  • Root or sudo privileges to configure network logging.

Remediation:

Test Plan:

Using Linux command line:

1. Check current iptables or nftables logging rules for suspicious packets. For example, using iptables:

iptables -L -v -n | grep LOG

2. Verify logging rules exist for suspicious or malformed packets.

Implementation Plan:

Using Linux command line:

1. Add logging rules for suspicious packets, e.g., in iptables:

iptables -A INPUT -m state --state INVALID -j LOG --log-prefix "Suspicious Packet: "  
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "Potential Attack: "

2. Save iptables rules to persist across reboots:

service iptables save  # or equivalent for your system

Backout Plan:

Using Linux command line:

1. Remove or modify logging rules if needed:

iptables -D INPUT -m state --state INVALID -j LOG --log-prefix "Suspicious Packet: "  
iptables -D INPUT -m limit --limit 5/min -j LOG --log-prefix "Potential Attack: "

2. Save iptables rules after changes.

References: