Around a month ago I posted a similar message to this list and got some answers: - Achim Hoffmann sent me a Perl-script for making a readable file out of /var/log/firewall. e.g.: (remove the CRs) Log-entry: Oct 9 00:18:48 minasmorgul kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.142.58.48 DST=217.84.7.89 LEN=60 TOS=0x00 PREC=0x00 TTL=60 ID=29088 DF PROTO=TCP SPT=57456 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB40000000001030300) Headline plus generated text: Time Rule src-IP :port > dst-IP :port proto ttl id tos prec len -- payload --------+-------------------+----------------------+----------------------+----+---+-----+----+----+-----+---------- 00:18:48 DROP-DEFAULT 80.142.58.48 57456 > 217.84.7.89 4662 TCP 60 29088 0x00 0x00 60 -- WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A0053EFB4000000000 - I run "psad; The Port Scan Attack Detector" (http://www.cipherdyne.com/psad/): it does some realtime scanning of the syslog-datastream (partly based on snort) through a fifo-file discovering port-scans and than informing via eMail. The eMail includes DNS and WHOIS lookups. e.g.: =-=-=-=-=-=-=-=-=-=-=-=-=-= Oct 20 12:42:50 =-=-=-=-=-=-=-=-=-=-=-=-=-= psad: portscan detected against minasmorgul (xxx.xxx.xxx.xxx). Source: xxx.xxx.xxx.xxx Destination: xxx.xxx.xxx.xxx Newly scanned TCP ports: [25-8080] (since: Oct 20 12:42:49) Newly Blocked TCP packets: [4] (since: Oct 20 12:42:49) TCP flags: [SYN: 4 packets] Nmap: [-sT or -sS] Complete TCP/UDP port range: [25-8080] (since: Oct 20 12:42:49) Total blocked packets: 4 Start time: Oct 20 12:42:49 End time: Oct 20 12:42:49 Danger level: 1 out of 5 DNS info: xxx.xxx.xxx.xxx -> adsl-123.xxxxxx.xxx.xx.net ---- TCP alert signatures found since [Oct 20 12:42:49] "MISC-WinGate-8080-Attempt" dp=8080, flags=SYN. Packets=1 "MISC-WinGate-1080-Attempt" dp=1080, flags=SYN. Packets=1 ---- Whois Information: ---- OrgName: Southwestern Bell Internet Services OrgID: SBIS - I run logcheck.sh from Craig Rowland via cron every 15 minutes which generates reports using something like a good- and bad-word list of unusual events/ entrie in logfiles. You could also have a look at Snort, a (good!) free realtime intrusion detection tool... On Sonntag, 20. Oktober 2002 11:45, Al Bogner wrote:
In /var/log/messages I see messages like
Oct 20 11:00:43 firewall kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=61.0.114.198 DST=62.46.154.154 LEN=78 TOS=0x00 PREC=0x00 TTL=101 ID=3969 PROTO=UDP SPT=62302 DPT=137 LEN=58
I would like to see some whois data of the source IP in clear text and the destination port in clear text too. (Of course I know that 137 is the netbios-port)
Is there an analyzing tool for these messages? Maybe like webalizer?
Where can I define the log-file in FW2? I would like to have an own fw-logfile to have a better overview of the other messages
Albert
-- Eat, sleep and go running, David Huecking. Encrypted eMail welcome! GnuPG/ PGP-Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216