Friday, February 5, 2016

rsyslog for IQeye network cameras

The classic IQeye cameras (not Xilinx, Ambarella-based ones) include built in syslog daemons that will log to a syslog server of your choosing. 514/UDP naturally.

This applies to models like IQ7xx, IQ8xx, IQ5xx (not sure about IQ54x), but not IQx3x models like the IQ732 or IQ030s. Basically the MJPEG cameras, not the H.264 ones.

Why would I want this? Why even write the feature into an IP camera?

There are some great applications that can be written to take advantage of watching the logs sent by IQeye cameras:
  1. See and react to strange requests to strange URLs
    1. Your firewall will only watch IPs at layer 3, it is not aware of HTTP requests. Using syslog we can see what URLs are actually being requested by clients at layer 7 and determine if real people or bots are attempting to compromise generic HTTP services. If you are seeing Wordpress URL requests, you can gather IPs to block which are likely just compromised hosts.
  2. Trigger actions based on events
    1. FTP transactions (especially if you don't have the ability to set file watches using inotify on your FTP server)
    2. motion detected
    3. NTP updates
    4. DHCP renewals
  3. Requests for URLs like serverpush.html
    1. I had an incident where an internet user was changing my admin passwords. I leave my cameras with default passwords because I want people to explore a bit. It's interesting to see who stumbles into the honeypot!
  4. Advanced logic such as detecting motion..changing lighting settings...displaying currently connected clients on a map..
    1. By design the inbuilt webpages use JavaScript to make requests to the onboard "API" using OIDs
  5. Detect client connections and update a status board

Using the syslog, you can generate a report of the most frequently requested files, and where the client IPs are located. You can also correlate this with your iptables log to get an idea who's requesting what from where.


Caveats

One drawback of getting the HTTP requests is that this level of logging also includes the FTP operations for triggered events. You'll need to grep through all of this to distinguish the entries.

Another consideration is security. Like all syslog logging the data over port 514 is in clear text. syslog is lossy, it operates over UDP 514. There is no guarantee of data being delivered.

How to enable logging

Telnet into the camera

SET LOGGING DESTINATION IP 207.7.34.3

or whatever your syslog server is...

Set logging levels, higher numbers are higher verbosity:

SET LOGGING NETWORK { 1-4 }
SET LOGGING IP { 1-7 }
SET LOGGING COMMANDS { ENABLED|DISABLED }
SET LOGGING TRIGGER { MOTION|RELAY|ALL }

Different events can be sent to different syslog servers:

SET LOGGING IP MAX DESTINATION IP 75.7.53.10
SET LOGGING COMMANDS ENABLED DESTINATION IP 129.7.23.21

 Remember to save your settings!

SAVE LOGGING

Sample Log Entries

Motion detected, camera begins writing JPEGs:

<13>1 2015-02-13T17:18:13.070497-06:00 source command - - - command: ftp trigger trig-*.jpg trig+*.jpg
<151>1 2015-02-13T17:18:13.083371-06:00 iqeye220e83.jay.lan NOOP - - - NOOP
<151>1 2015-02-13T17:18:13.094767-06:00 200 NOOP - - - NOOP command successful#015#012
<151>1 2015-02-13T17:18:13.097009-06:00 iqeye220e83.jay.lan PASV - - - PASV
<151>1 2015-02-13T17:18:13.105143-06:00 227 Entering - - - Entering Passive Mode (192,168,16,119,220,64).#015#012
<151>1 2015-02-13T17:18:13.106772-06:00 STOR 17_18_11.trig-04.jpg.tmp - - - 17_18_11.trig-04.jpg.tmp
<151>1 2015-02-13T17:18:13.118378-06:00 150 Opening - - - Opening BINARY mode data connection for 17_18_11.trig-04.jpg.tmp#015#012
<151>1 2015-02-13T17:18:13.190253-06:00 RNFR 17_18_11.trig-04.jpg.tmp - - - 17_18_11.trig-04.jpg.tmp
<151>1 2015-02-13T17:18:13.196035-06:00 350 File - - - File or directory exists, ready for destination name#015#012
<151>1 2015-02-13T17:18:13.196412-06:00 RNTO 17_18_11.trig-04.jpg - - - 17_18_11.trig-04.jpg
<151>1 2015-02-13T17:18:13.207172-06:00 250 Rename - - - Rename successful#015#012

Client connects via web interface:

<150>1 2015-02-13T17:20:29.742021-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request style.css from 98.174.251.203
<150>1 2015-02-13T17:20:29.855949-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request gui.js from 98.174.251.203
<150>1 2015-02-13T17:20:29.856678-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request vid.js from 98.174.251.203
<150>1 2015-02-13T17:20:29.857385-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request lib.js from 98.174.251.203
<150>1 2015-02-13T17:20:31.225316-06:00 iqeye220e83.jay.lan HTTP - - - HTTP: request now.jpg?snap=spush?ds=1?dummy=1423869627585 from 98.174.251.203
<150>1 2015-02-13T17:24:36.800627-06:00 iqeye220e83.jay.lan NTP - - - NTP: accepted packet from 209.118.204.201

I'm still not clear on what the prepended <###> field is. Seems I need to study my syslog knowledge.

Happy Hacking!
Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)