[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tool to analyze firewall messages



Am Son, 2002-10-20 um 12.35 schrieb Al Bogner:

> I thought that there could be a script or whatevver, which analyzes 
> firewall logs from a "general" view.

You might like to take a look at an intrusion detection ystem like
snort.

http://www.snort.org/ 

Snort can be installed straight from the SuSE CD. New rules can be
downloaded from the snort server but usually need some editing to
function with the snort.conf that is shipped with SuSE. There are
several tools for analysing snort logfiles to be found on the snort web
server.

A sample log entry looks like this:

---8<---
[**] [1:884:6] WEB-CGI formmail access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
10/19-20:17:45.581832 67.113.247.186:33326 -> xxx.xxx.xxx.xxx:80
TCP TTL:106 TOS:0x0 ID:29404 IpLen:20 DgmLen:693 DF
***AP*** Seq: 0xC6F88849  Ack: 0xEE772CE8  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/1187]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172]
[Xref => http://www.whitehats.com/info/IDS226
---8<---

Besides that snort can write the logs to a (external) MySQL or PostgeSQL
database server. The version that is shipped on the SuSE CD however
lacks database support, so you need to recompile it to use that feature.
When logging to a MySQL database you can integrate the MySQL/snort thing
into bigbrother, a network monitoring tool. 

http://www.bb4.com/

> I found out, that a lot of scans to my host come from "developing" 
> countries, especially from South America and Asia.

Most of what you see in your logs is simply background noise, especially
when you have a dynamically assigned IP.

Wolfgang


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here