[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Tool to analyze firewall messages



Around a month ago I posted a similar message to this list and got some 
answers:
- Achim Hoffmann sent me a Perl-script for making a readable file out of 
/var/log/firewall. e.g.: (remove the CRs)
Log-entry:
Oct  9 00:18:48 minasmorgul kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC=80.142.58.48 DST=217.84.7.89 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=29088 DF 
PROTO=TCP SPT=57456 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT 
(020405840402080A0053EFB40000000001030300)

Headline plus generated text:
Time     Rule                src-IP         :port  > dst-IP         :port 
proto ttl id    tos  prec len   -- payload
--------+-------------------+----------------------+----------------------+----+---+-----+----+----+-----+----------
00:18:48 DROP-DEFAULT           80.142.58.48 57456 >     217.84.7.89 4662   
TCP  60 29088 0x00 0x00    60 -- WINDOW=5808 RES=0x00 SYN URGP=0 OPT 
(020405840402080A0053EFB4000000000

- I run "psad; The Port Scan Attack Detector" 
(http://www.cipherdyne.com/psad/): it does some realtime scanning of the 
syslog-datastream (partly based on snort) through a fifo-file discovering 
port-scans and than informing via eMail. The eMail includes DNS and WHOIS 
lookups. e.g.:
=-=-=-=-=-=-=-=-=-=-=-=-=-= Oct 20 12:42:50 =-=-=-=-=-=-=-=-=-=-=-=-=-=
psad: portscan detected against minasmorgul (xxx.xxx.xxx.xxx).

Source:                      xxx.xxx.xxx.xxx
Destination:                 xxx.xxx.xxx.xxx
Newly scanned TCP ports:     [25-8080]   (since: Oct 20 12:42:49)
Newly Blocked TCP packets:   [4]   (since: Oct 20 12:42:49)
TCP flags:                   [SYN: 4 packets]  Nmap: [-sT or -sS]
Complete TCP/UDP port range: [25-8080]  (since: Oct 20 12:42:49)
Total blocked packets:       4
Start time:                  Oct 20 12:42:49
End time:                    Oct 20 12:42:49
Danger level:                1 out of 5
DNS info:                    xxx.xxx.xxx.xxx ->
    adsl-123.xxxxxx.xxx.xx.net

---- TCP alert signatures found since [Oct 20 12:42:49]
"MISC-WinGate-8080-Attempt"  dp=8080, flags=SYN.   Packets=1
"MISC-WinGate-1080-Attempt"  dp=1080, flags=SYN.   Packets=1


---- Whois Information: ----

OrgName:    Southwestern Bell Internet Services
OrgID:      SBIS

- I run logcheck.sh from Craig Rowland via cron every 15 minutes which 
generates reports using something like a good- and bad-word list of unusual 
events/ entrie in logfiles.

You could also have a look at Snort, a (good!) free realtime intrusion 
detection tool...

On Sonntag, 20. Oktober 2002 11:45, Al Bogner wrote:
> In /var/log/messages I see messages like
>
> Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT=
> MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00
> TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
>
> I would like to see some whois data of the source IP in clear text
> and the destination port in clear text too. (Of course I know that
> 137 is the netbios-port)
>
> Is there an analyzing tool for these messages? Maybe like webalizer?
>
> Where can I define the log-file in FW2? I would like to have an own
> fw-logfile to have a better overview of the other messages
>
> Albert

-- 
Eat, sleep and go running,
David Huecking.

Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here