picoFIRESCAN - Tested on Debian and SuSE Linux
|
picoFirescan displays the log-file of picoFirewall in an easily readable way on a web-page in HTML-format |
Contents:
- You are in a hurry? Quick install on Debian Linux
- Changelog
- Features
- Example
- Download
- Install
- Comments
- Experience
QUICK INSTALL ON DEBIAN LINUX
- As root add the following line in your file /etc/apt/sources.list:
deb http://debian.seismo.ethz.ch/debian/ sarge ethz_sed
- Enter: apt-get update; apt-get install picofirescan
- You're done and the results are on /var/lib/picofirescan/work/homepage.html
PART OF THE CHANGELOG
Version 1.14 13Apr2005 Improvewd handling of file trusted.hosts
Version 1.13 09Apr2005 Call host as 'host -s 1' because of IPs as 202.30.109.4
Version 1.12 08Apr2005 Modified for logging of outgoing packets
Version 1.11 27Sep2004 Corrected a typo in the postinst file
Version 1.10 27Sep2004 Modified upgrading to new version
Version 1.09 22Sep2004 Modified sfirelog.f again (IP2HOST)
Modified picomonitor - check if files exist before copying
Currently, newer versions than V1.08 are only available as Debian packages,
see section Download.
Version 1.08 (04Jun2004): Modified sfirelog.f again (different versions of host)
And: first picoFirewall entry in logfile was not processed
Version 1.07 (19Nov2003): Modified to be used on Debian GNU/Linux as well.
Version 1.06 (09Mar2003): Suggest to enlarge browser's window for best results
Version 1.05 (01Mar2003): If source port is reported to be 0, print so
Version 1.04 (04Feb2003): List entries of SYN_floods in blue
Version 1.03 (02Feb2003): List rules / comments from picoFIREWALL in the HTML-output,
thus allowing to see, why a specific packet was
DROPped or ACCEPTed. INVALID (and therefore dropped)
packets appear in black color; some format changes.
Version 1.02 (20Jan2003): leaving existing picofirewall.cfg untouched.
Version 1.01 (19Jan2003): fixed a bug, which caused an empty fulllist.html, if
firewall logfile is not /var/log/messages.
First version: was called 'sfirescan' and started on 26 Sep 2001.
FEATURES
picoFIRESCAN is just a small (as the prefix 'pico' implies) tool, which
analyzes the logfile, if picoFIREWALL is
installed. It does basically two things:
- Read the firewall logfile and create html-readable pages, which show what's going on
- Check, if there is unusual high activity (e.g. a portscan) and create separate web-pages
EXAMPLE
The following is an example of the logfile of picoFIREWALL (usually /var/log/messages):
Feb 2 02:49:21 kava kernel: P-Fw-DROP-badIP-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=129.132.40.56 DST=192.168.0.17 LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=11288 PROTO=ICMP TYPE=8 CODE=0 ID=18964 SEQ=51 Feb 2 03:00:06 kava kernel: P-Fw-DROP-UDP-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=65.69.129.194 DST=192.168.0.17 LEN=32 TOS=0x00 PREC=0x00 TTL=240 ID=1638 DF PROTO=UDP SPT=6669 DPT=6669 LEN=12 Feb 2 03:05:36 kava kernel: P-Fw-ACCEPT-trusted-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=129.132.53.17 DST=192.168.0.17 LEN=68 TOS=0x00 PREC=0x00 TTL=61 ID=2855 DF PROTO=UDP SPT=817 DPT=2049 LEN=48 Feb 2 17:56:19 kava kernel: P-Fw-DROP-TCP-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=128.134.56.211 DST=192.168.0.17 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=38139 DF PROTO=TCP SPT=37446 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A053A6CC20000000001030300) Feb 8 18:01:40 kava kernel: P-Fw-DROP-SYN_flood-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=138.88.84.97 DST=192.168.0.17 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=16339 DF PROTO=TCP SPT=4820 DPT=6346 WINDOW=65280 RES=0x00 SYN URGP=0 OPT (0204055001010402) Feb 2 18:01:44 kava kernel: P-Fw-DROP-SYN_flood-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=200.85.163.19 DST=192.168.0.17 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=12282 DF PROTO=TCP SPT=2203 DPT=6346 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402) Feb 2 19:24:35 kava kernel: P-Fw-DROP-NEWnoSYN-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=198.240.212.33 DST=192.168.0.17 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=14506 DF PROTO=TCP SPT=443 DPT=37455 WINDOW=0 RES=0x00 RST URGP=0 Feb 2 20:33:43 kava kernel: P-Fw-INVALID-invalid-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=217.210.152.250 DST=192.168.0.17 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=52686 PROTO=ICMP TYPE=3 CODE=1 [SRC=129.132.208.26 DST=207.214.211.127 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=256 PROTO=TCP INCOMPLETE [8 bytes] ] Feb 2 21:02:36 kava kernel: P-Fw-DROP-ICMP-ping-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=213.196.13.143 DST=192.168.0.17 LEN=36 TOS=0x00 PREC=0x00 TTL=116 ID=52903 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18253
#<---- for a nice view of this output, enlarge your browser window, so that this line is seen fully! ------------------------------------------> # #Packet Source Port Proto- Life Destination Port #Status Date Time Source (name / no.) col Time (name / no.) Firewall Rule # DROP Feb 2 02:49:21 baloo.ethz.ch - icmp T=252 - (type=8 ping) badIP-in DROP Feb 2 03:00:06 adsl-65-69-129-194.dsl.rcsntx.swbell.net ircu 6669/udp udp T=240 ircu 6669/udp UDP-IN ACCEPT Feb 2 03:05:36 front.ethz.ch ? 817 udp T=61 nfs 2049/udp trusted-in DROP Feb 2 17:56:19 comm20.kwangwoon.ac.kr ? 37446 tcp T=43 https 443/tcp TCP-IN DROP Feb 2 18:01:40 pool-138-88-84-97.res.east.verizon.net ? 4820 tcp T=115 gnutella-svc 6346/tcp SYN_flood-IN DROP Feb 2 18:01:44 mdig19.ibw.com.ni ? 2203 tcp T=109 gnutella-svc 6346/tcp SYN_flood-IN DROP Feb 2 19:24:35 directnet1.credit-suisse.com https 443/tcp tcp T=44 ? 37455 NEWnoSYN-IN INVALID Feb 2 20:33:43 fls34o868.telia.com - icmp T=243 - (type=3) invalid-IN DROP Feb 2 21:02:36 bbn-cust-13-143.dsl.cybercomm.nl - icmp T=116 - (type=8 ping) ICMP-ping-in
DOWNLOAD
Debian users may download and install picoFIRESCAN by doing the following:
- Add the following line in your /etc/apt/sources.list : deb http://debian.seismo.ethz.ch/debian/ sarge ethz_sed (new since 13Apr2005) - Then enter: apt-get update; apt-get install picofirescan - The documentation is then available in /usr/share/doc/picofirescan - You may then skip the rest of this section and you may also skip the section INSTALL.Download picofirescan.tar.gz here.
INSTALL
Make sure, you have a Fortran-Compiler installed: Enter the command which f77 -
if you do not get any output, install the compiler:
Debian: apt-get install g77 ; apt-get update SuSE : install g77 with YaST from the installation DVD/CDGo to your directory, below which picoFIRESCAN should be installed (e.g. /app ) and enter the following:
su - (enter root-password) gunzip picofirescan.tar.gz tar xvf picofirescan.tar cd picofirescan ./install picofirescan
COMMENTS
However, before actually starting picoFIRESCAN, you should read the README file,
which comes with the distribution; you may have to set some variables in the
files trusted.hosts and picofirescan.cfg .
OUR EXPERIENCE
We run picoFIRESCAN on several Linux machines, running SuSE Linux 8.0, 8.1, 8.2,
9.0 and on Debian GNU/Linux; one of these machines is a mail- and web-server.
picoFIRESCAN should run on all newer Linux versions and I do my best, to cover
the problems with the command/program 'host', which gives different results in
different versions...
picoFIRESCAN analyzes the log file, if picoFIREWALL
is installed. However, it could also analyze the logs of other iptables or even
ipchains firewalls, if the logging follows some basic rules.
And: let me know, if you like the program (and also, if you do not like it...).