Archived from groups: comp.security.firewalls (More info?)

Hi,

I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
of log entries showing the important parts is below:-

Date & Time Result Source URL
2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN

I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.

How do you deal with the firewall logs?

What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
exist?

TIA.

Archived from groups: comp.security.firewalls (More info?)

JC <jhoppyc@westnet.com.invalid> squirted these wordjisms deep inside
the bumtube of the newstwat in
news:bemkc097764aq8tvurfa5akqn8777ttslh@4ax.com:

> Hi,
>
> I have a Sonicwall firewall which sends me a log each morning via
> email. I paste the log into Excel, save it then sort on source URL.
> An example of log entries showing the important parts is below:-
>
> Date & Time Result
> Source URL
> 2004/06/11 09:07:15.224 UDP packet dropped -
> Source:218.217.9.187, 5984, WAN 2004/06/11 09:39:36.496 ICMP
> packet dropped - Source:219.133.44.17, 8, WAN 2004/06/11
> 10:27:02.544 UDP packet dropped -
> Source:204.85.210.188, 31916, WAN 2004/06/11 10:28:08.304 TCP
> connection dropped - Source:203.129.200.7, 1511, WAN
>
> I get 80-100 entries per day, which isn't many I know, but over a
> month this adds up to about 2,500+ entries which take a while to go
> through. What I am looking for is patterns of probes which I then
> report to abuse@x.y.z asking for the probes to be stopped. To get
> to the abuse@x.y.z address I look up the details on www.dnsstuff.com.
> Doing this multiple times each day can be tedious and it is not
> immediately obvious that, for example, source URLs 66.139.x.y and
> 69.44.x.y are all connected to the same ISP.
>
> How do you deal with the firewall logs?
>
> What would be useful would be a program that will read the log file,
> preferably in XLS format, and spit out a summary along the lines of
> ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
> name, Source URL and Date & Time if multiple entries are detected.
> Does such a program exist?
>
> TIA.
>
>

If you used ZoneAlarm then VisualZone would interpret the logs for you.
Visualzone looks up intruder IPs and other info, and has a button that
will format the reults into a template email which you can send to the
abuse or AUP dept of the ISP concerned. You can lookup the IP address on
spamcop to see if they are known pests, send a report to DShield, and
check which ports they were hitting easily using buttons. It has a whole
host of other features too.

However, unfortunately I don't know of a similar application which does
the same for your firewall.

--
*********************************
> David Qunt
>
****************************************************

Archived from groups: comp.security.firewalls (More info?)

While it doesn't offer all the features you ask for, you can get some
nice log analysis in linklogger. (www.linklogger.com)


Brad


On Sat, 12 Jun 2004 12:06:02 +1000, JC <jhoppyc@westnet.com.invalid>
wrote:

>Hi,
>
>I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
>of log entries showing the important parts is below:-
>
> Date & Time Result Source URL
>2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
>2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
>2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
>2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN
>
>I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
>I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
>look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
>source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.
>
>How do you deal with the firewall logs?
>
>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>exist?
>
>TIA.

Archived from groups: comp.security.firewalls (More info?)

>
> How do you deal with the firewall logs?
>
> What would be useful would be a program that will read the log file,
preferably in XLS format, and spit out a summary along the lines of ISP
Name,
> Abuse email address, Source URL, Date & Time sorted on ISP name, Source
URL and Date & Time if multiple entries are detected. Does such a program
> exist?
>

Yes, there are some programs out there.
I believe what you are looking for is something like this Add-On to the
SmoothWall:
http://community.smoothwall.org/fo [...] php?t=6351

It uses already know information about known agressive addresses, and in
case the program detects something "new" also submits it so that others can
have their systems updated to stop activities.

If you are running SNORT, there is also another Add-On to the Smoothwall
which may be of interest. I have installed it, and if you should try to
port-scan me you will find that my network just disappears from your view
for a pre-set number of days.
Look here: http://community.smoothwall.org/fo [...] php?t=5702

The nice things about these functions is that when they are there, you do
not have to do anything more, the FW itself will be active and adaptive
towards threats and unwanted activities.

JMM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh

>
>How do you deal with the firewall logs?
>
>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>exist?
>
>TIA.

I doubt such a program exists. Firewall log analyzers are available
that'll show daily traffic trends (blocked inbound/outbound and where
traffic are going). However, I know of none that'll look up abuse e-mail
addresses and/or check which ISP an IP address is associate with.

For better logging with the Sonicwall, I recommenced using a syslog
server. You can either set up a linux box to do this, or get a free copy
of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
any ODBC database you want, and with some skills, you can create report
(i.e. in MS Access) to tell you what's going on...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
newso9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

> On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file,
>>preferably in XLS format, and spit out a summary along the lines of
>>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
>>name, Source URL and Date & Time if multiple entries are detected.
>>Does such a program exist?
>>
>>TIA.
>
> I doubt such a program exists. Firewall log analyzers are available
> that'll show daily traffic trends (blocked inbound/outbound and where
> traffic are going). However, I know of none that'll look up abuse
> e-mail addresses and/or check which ISP an IP address is associate
> with.
>
> For better logging with the Sonicwall, I recommenced using a syslog
> server. You can either set up a linux box to do this, or get a free
> copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
> log to any ODBC database you want, and with some skills, you can
> create report (i.e. in MS Access) to tell you what's going on...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
>


Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
about Sonicwall, though.

--
*********************************
> David Qunt
>
****************************************************

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 16:08:17 GMT, Lars M. Hansen <badnews@hansenonline.net>
wrote:

>On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>>exist?
>>
>>TIA.
>
>I doubt such a program exists. Firewall log analyzers are available
>that'll show daily traffic trends (blocked inbound/outbound and where
>traffic are going). However, I know of none that'll look up abuse e-mail
>addresses and/or check which ISP an IP address is associate with.
>
>For better logging with the Sonicwall, I recommenced using a syslog
>server. You can either set up a linux box to do this, or get a free copy
>of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
>any ODBC database you want, and with some skills, you can create report
>(i.e. in MS Access) to tell you what's going on...
>
>Lars M. Hansen
>www.hansenonline.net
>Remove "bad" from my e-mail address to contact me.
>"If you try to fail, and succeed, which have you done?"

Use the firewall logging program of your choice, and extract the IP address in
question.

Use TESP AbuseReporter <http://www.tesp.com/abounce/> to help you find out all
details about the responsible ISP, to make a cleanly formatted and informative
report, and to email the report.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
newso9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

> On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file,
>>preferably in XLS format, and spit out a summary along the lines of
>>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
>>name, Source URL and Date & Time if multiple entries are detected.
>>Does such a program exist?
>>
>>TIA.
>
> I doubt such a program exists. Firewall log analyzers are available
> that'll show daily traffic trends (blocked inbound/outbound and where
> traffic are going). However, I know of none that'll look up abuse
> e-mail addresses and/or check which ISP an IP address is associate
> with.
>
> For better logging with the Sonicwall, I recommenced using a syslog
> server. You can either set up a linux box to do this, or get a free
> copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
> log to any ODBC database you want, and with some skills, you can
> create report (i.e. in MS Access) to tell you what's going on...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"

I have to agree here. I use the Kiwi Syslog Daemon. I am very impressed
with it. I may get into using SQL Server and Crystal Report.

Duane

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh

>
>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
>about Sonicwall, though.

ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
network firewall. Hardly a comparison...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:

> On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
>
>>
>>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
>>about Sonicwall, though.
>
> ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> network firewall. Hardly a comparison...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
>


Thanks for pointing that out.

However, I wasn't making a comparison, just pointing something out.

The point is, there may be something similar for Sonicwall.

--
*********************************
> David Qunt
>
****************************************************

Archived from groups: comp.security.firewalls (More info?)

"David Qunt" <davidqunt@hotmail.com> wrote in message
news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
> inside the bumtube of the newstwat in
> news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
>
> > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
> >
> >>
> >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
> >>about Sonicwall, though.
> >
> > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> > network firewall. Hardly a comparison...
> >
> > Lars M. Hansen
> > www.hansenonline.net
> > Remove "bad" from my e-mail address to contact me.
> > "If you try to fail, and succeed, which have you done?"
> >
>
>
> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.
>
> --
> *********************************
> > David Qunt
> >
> ****************************************************

Archived from groups: comp.security.firewalls (More info?)

"David Qunt" <davidqunt@hotmail.com> wrote in message
news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
> inside the bumtube of the newstwat in
> news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
>
> > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
> >
> >>
> >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
> >>about Sonicwall, though.
> >
> > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> > network firewall. Hardly a comparison...
> >
> > Lars M. Hansen
> > www.hansenonline.net
> > Remove "bad" from my e-mail address to contact me.
> > "If you try to fail, and succeed, which have you done?"
> >
>
>
> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.

http://www.kiwisyslog.com

It was pointed out and it works with several brands of FW appliances and
routers.

Duane

Archived from groups: comp.security.firewalls (More info?)

You might want to consider SonicLogger at http://www.SonicLogger.com for
your SonicWall.

Blake

Archived from groups: comp.security.firewalls (More info?)

JC wrote:


> What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
> Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
> exist?
>
> TIA.
>

Set up the sonicwall to use a syslog server (I believe ALL models
support this - I have done it with soho3, pro200 and pro4060 models)

Use kiwi syslogd as the syslog server (do google search for it - free
download) - can save data in many formats. Including CSV to allow easy
import to excel.

use kiwi syslog analyzer to sort the logs for you.

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:

>
> If you used ZoneAlarm then VisualZone would interpret the logs for you.

Good idea, replace a high end hardware firewall with a low end software
based one.

Geez.


--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:

> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep

> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.
>

look at www.mynetwatchman.org. They have a client that reads sonicwall
entries saved by kiwi syslog, and automatically sends complaints for you.


--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz

Archived from groups: comp.security.firewalls (More info?)

Chuck wrote:


> Use TESP AbuseReporter <http://www.tesp.com/abounce/> to help you find out
> all details about the responsible ISP, to make a cleanly formatted and
> informative report, and to email the report.

If you are lucky you'll only bore the average ISP sysadmin to death with
those automated abuse reports. If you are unlucky might send you a bill for
wasting their time since these people normally have other things to do than
to deal with the protocol excerpts of paranoid people running who run
packet filters and are unable to make up thier minds themselves about the
relevance of the output.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel