[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tool to analyze firewall messages

Am Son, 2002-10-20 um 12.35 schrieb Al Bogner:

> I thought that there could be a script or whatevver, which analyzes 
> firewall logs from a "general" view.

You might like to take a look at an intrusion detection ystem like


Snort can be installed straight from the SuSE CD. New rules can be
downloaded from the snort server but usually need some editing to
function with the snort.conf that is shipped with SuSE. There are
several tools for analysing snort logfiles to be found on the snort web

A sample log entry looks like this:

[**] [1:884:6] WEB-CGI formmail access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
10/19-20:17:45.581832 -> xxx.xxx.xxx.xxx:80
TCP TTL:106 TOS:0x0 ID:29404 IpLen:20 DgmLen:693 DF
***AP*** Seq: 0xC6F88849  Ack: 0xEE772CE8  Win: 0xFFFF  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/1187]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0172]
[Xref => http://www.whitehats.com/info/IDS226

Besides that snort can write the logs to a (external) MySQL or PostgeSQL
database server. The version that is shipped on the SuSE CD however
lacks database support, so you need to recompile it to use that feature.
When logging to a MySQL database you can integrate the MySQL/snort thing
into bigbrother, a network monitoring tool. 


> I found out, that a lot of scans to my host come from "developing" 
> countries, especially from South America and Asia.

Most of what you see in your logs is simply background noise, especially
when you have a dynamically assigned IP.


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here