[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tool to analyze firewall messages

Around a month ago I posted a similar message to this list and got some 
- Achim Hoffmann sent me a Perl-script for making a readable file out of 
/var/log/firewall. e.g.: (remove the CRs)
Oct  9 00:18:48 minasmorgul kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=29088 DF 

Headline plus generated text:
Time     Rule                src-IP         :port  > dst-IP         :port 
proto ttl id    tos  prec len   -- payload
00:18:48 DROP-DEFAULT  57456 > 4662   
TCP  60 29088 0x00 0x00    60 -- WINDOW=5808 RES=0x00 SYN URGP=0 OPT 

- I run "psad; The Port Scan Attack Detector" 
(http://www.cipherdyne.com/psad/): it does some realtime scanning of the 
syslog-datastream (partly based on snort) through a fifo-file discovering 
port-scans and than informing via eMail. The eMail includes DNS and WHOIS 
lookups. e.g.:
=-=-=-=-=-=-=-=-=-=-=-=-=-= Oct 20 12:42:50 =-=-=-=-=-=-=-=-=-=-=-=-=-=
psad: portscan detected against minasmorgul (xxx.xxx.xxx.xxx).

Source:                      xxx.xxx.xxx.xxx
Destination:                 xxx.xxx.xxx.xxx
Newly scanned TCP ports:     [25-8080]   (since: Oct 20 12:42:49)
Newly Blocked TCP packets:   [4]   (since: Oct 20 12:42:49)
TCP flags:                   [SYN: 4 packets]  Nmap: [-sT or -sS]
Complete TCP/UDP port range: [25-8080]  (since: Oct 20 12:42:49)
Total blocked packets:       4
Start time:                  Oct 20 12:42:49
End time:                    Oct 20 12:42:49
Danger level:                1 out of 5
DNS info:                    xxx.xxx.xxx.xxx ->

---- TCP alert signatures found since [Oct 20 12:42:49]
"MISC-WinGate-8080-Attempt"  dp=8080, flags=SYN.   Packets=1
"MISC-WinGate-1080-Attempt"  dp=1080, flags=SYN.   Packets=1

---- Whois Information: ----

OrgName:    Southwestern Bell Internet Services
OrgID:      SBIS

- I run logcheck.sh from Craig Rowland via cron every 15 minutes which 
generates reports using something like a good- and bad-word list of unusual 
events/ entrie in logfiles.

You could also have a look at Snort, a (good!) free realtime intrusion 
detection tool...

On Sonntag, 20. Oktober 2002 11:45, Al Bogner wrote:
> In /var/log/messages I see messages like
> Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT=
> MAC= SRC= DST= LEN=78 TOS=0x00 PREC=0x00
> TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
> I would like to see some whois data of the source IP in clear text
> and the destination port in clear text too. (Of course I know that
> 137 is the netbios-port)
> Is there an analyzing tool for these messages? Maybe like webalizer?
> Where can I define the log-file in FW2? I would like to have an own
> fw-logfile to have a better overview of the other messages
> Albert

Eat, sleep and go running,
David Huecking.

Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here