picoFIRESCAN

picoFIRESCAN - Tested on Debian and SuSE Linux

linux-logo picoFirescan displays the log-file of picoFirewall in an easily readable way on a web-page in HTML-format

Contents:
- You are in a hurry? Quick install on Debian Linux
- Changelog
- Features
- Example
- Download
- Install
- Comments
- Experience

QUICK INSTALL ON DEBIAN LINUX

- As root add the following line in your file /etc/apt/sources.list:
deb http://debian.seismo.ethz.ch/debian/ sarge ethz_sed
- Enter: apt-get update; apt-get install picofirescan
- You're done and the results are on /var/lib/picofirescan/work/homepage.html


PART OF THE CHANGELOG
Version 1.14    13Apr2005 Improvewd handling of file trusted.hosts
Version 1.13    09Apr2005 Call host as 'host -s 1' because of IPs as 202.30.109.4
Version 1.12    08Apr2005 Modified for logging of outgoing packets
Version 1.11    27Sep2004 Corrected a typo in the postinst file
Version 1.10    27Sep2004 Modified upgrading to new version
Version 1.09    22Sep2004 Modified sfirelog.f again (IP2HOST)
                Modified picomonitor - check if files exist before copying

Currently, newer versions than V1.08 are only available as Debian packages,
see section Download.

Version 1.08 (04Jun2004): Modified sfirelog.f again (different versions of host)
                          And: first picoFirewall entry in logfile was not processed
Version 1.07 (19Nov2003): Modified to be used on Debian GNU/Linux as well.
Version 1.06 (09Mar2003): Suggest to enlarge browser's window for best results
Version 1.05 (01Mar2003): If source port is reported to be 0, print so
Version 1.04 (04Feb2003): List entries of SYN_floods in blue
Version 1.03 (02Feb2003): List rules / comments from picoFIREWALL in the HTML-output,
                          thus allowing to see, why a specific packet was
                          DROPped or ACCEPTed. INVALID (and therefore dropped)
                          packets appear in black color; some format changes.
Version 1.02 (20Jan2003): leaving existing  picofirewall.cfg  untouched.
Version 1.01 (19Jan2003): fixed a bug, which caused an empty fulllist.html, if
                          firewall logfile is not /var/log/messages.
First version: was called 'sfirescan' and started on 26 Sep 2001.

FEATURES
picoFIRESCAN is just a small (as the prefix 'pico' implies) tool, which analyzes the logfile, if picoFIREWALL is installed. It does basically two things:
- Read the firewall logfile and create html-readable pages, which show what's going on
- Check, if there is unusual high activity (e.g. a portscan) and create separate web-pages

EXAMPLE
The following is an example of the logfile of picoFIREWALL (usually /var/log/messages):

Feb  2 02:49:21 kava kernel: P-Fw-DROP-badIP-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=129.132.40.56 DST=192.168.0.17 LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=11288 PROTO=ICMP TYPE=8 CODE=0 ID=18964 SEQ=51
Feb  2 03:00:06 kava kernel: P-Fw-DROP-UDP-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=65.69.129.194 DST=192.168.0.17 LEN=32 TOS=0x00 PREC=0x00 TTL=240 ID=1638 DF PROTO=UDP SPT=6669 DPT=6669 LEN=12
Feb  2 03:05:36 kava kernel: P-Fw-ACCEPT-trusted-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=129.132.53.17 DST=192.168.0.17 LEN=68 TOS=0x00 PREC=0x00 TTL=61 ID=2855 DF PROTO=UDP SPT=817 DPT=2049 LEN=48
Feb  2 17:56:19 kava kernel: P-Fw-DROP-TCP-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=128.134.56.211 DST=192.168.0.17 LEN=60 TOS=0x00 PREC=0x00 TTL=43 ID=38139 DF PROTO=TCP SPT=37446 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A053A6CC20000000001030300)
Feb  8 18:01:40 kava kernel: P-Fw-DROP-SYN_flood-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=138.88.84.97 DST=192.168.0.17 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=16339 DF PROTO=TCP SPT=4820 DPT=6346 WINDOW=65280 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Feb  2 18:01:44 kava kernel: P-Fw-DROP-SYN_flood-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=200.85.163.19 DST=192.168.0.17 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=12282 DF PROTO=TCP SPT=2203 DPT=6346 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Feb  2 19:24:35 kava kernel: P-Fw-DROP-NEWnoSYN-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=198.240.212.33 DST=192.168.0.17 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=14506 DF PROTO=TCP SPT=443 DPT=37455 WINDOW=0 RES=0x00 RST URGP=0
Feb  2 20:33:43 kava kernel: P-Fw-INVALID-invalid-IN: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=217.210.152.250 DST=192.168.0.17 LEN=56 TOS=0x00 PREC=0x00 TTL=243 ID=52686 PROTO=ICMP TYPE=3 CODE=1 [SRC=129.132.208.26 DST=207.214.211.127 LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=256 PROTO=TCP INCOMPLETE [8 bytes] ]
Feb  2 21:02:36 kava kernel: P-Fw-DROP-ICMP-ping-in: IN=eth0 OUT= MAC=00:02:b3:ab:a8:31:00:90:d0:15:20:4a:08:00 SRC=213.196.13.143 DST=192.168.0.17 LEN=36 TOS=0x00 PREC=0x00 TTL=116 ID=52903 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=18253

...and below is the output of picoFIRESCAN for the same part of the log:
#<---- for a nice view of this output, enlarge your browser window, so that this line is seen fully! ------------------------------------------>
#
#Packet                                                          Source Port               Proto-  Life  Destination Port
#Status Date   Time     Source                                   (name / no.)              col     Time    (name / no.)           Firewall Rule
#
DROP    Feb 2  02:49:21 baloo.ethz.ch                            -                         icmp    T=252 - (type=8 ping)          badIP-in                     
DROP    Feb 2  03:00:06 adsl-65-69-129-194.dsl.rcsntx.swbell.net ircu 6669/udp             udp     T=240 ircu 6669/udp            UDP-IN                       
ACCEPT  Feb 2  03:05:36 front.ethz.ch                            ? 817                     udp     T=61  nfs 2049/udp             trusted-in                   
DROP    Feb 2  17:56:19 comm20.kwangwoon.ac.kr                   ? 37446                   tcp     T=43  https 443/tcp            TCP-IN                       
DROP    Feb 2  18:01:40 pool-138-88-84-97.res.east.verizon.net   ? 4820                    tcp     T=115 gnutella-svc 6346/tcp    SYN_flood-IN
DROP    Feb 2  18:01:44 mdig19.ibw.com.ni                        ? 2203                    tcp     T=109 gnutella-svc 6346/tcp    SYN_flood-IN
DROP    Feb 2  19:24:35 directnet1.credit-suisse.com             https 443/tcp             tcp     T=44  ? 37455                  NEWnoSYN-IN                
INVALID Feb 2  20:33:43 fls34o868.telia.com                      -                         icmp    T=243 - (type=3)               invalid-IN                   
DROP    Feb 2  21:02:36 bbn-cust-13-143.dsl.cybercomm.nl         -                         icmp    T=116 - (type=8 ping)          ICMP-ping-in                 

DOWNLOAD

Debian users may download and install picoFIRESCAN by doing the following:

- Add the following line in your /etc/apt/sources.list :
deb http://debian.seismo.ethz.ch/debian/ sarge ethz_sed (new since 13Apr2005)

- Then enter:   apt-get update;  apt-get install picofirescan
- The documentation is then available in /usr/share/doc/picofirescan
- You may then skip the rest of this section and you may also skip the section
INSTALL.
Download picofirescan.tar.gz here.

INSTALL
Make sure, you have a Fortran-Compiler installed: Enter the command   which f77   - if you do not get any output, install the compiler:

Debian: apt-get install g77 ; apt-get update
SuSE  : install g77 with YaST from the installation DVD/CD
Go to your directory, below which picoFIRESCAN should be installed (e.g. /app ) and enter the following:
(You have to enter the commands as root, in order to be able to read the logfile):
su -
(enter root-password)
gunzip picofirescan.tar.gz
tar xvf picofirescan.tar
cd picofirescan
./install
picofirescan

COMMENTS
However, before actually starting picoFIRESCAN, you should read the README file, which comes with the distribution; you may have to set some variables in the files trusted.hosts and picofirescan.cfg .

OUR EXPERIENCE
We run picoFIRESCAN on several Linux machines, running SuSE Linux 8.0, 8.1, 8.2, 9.0 and on Debian GNU/Linux; one of these machines is a mail- and web-server.
picoFIRESCAN should run on all newer Linux versions and I do my best, to cover the problems with the command/program 'host', which gives different results in different versions...
picoFIRESCAN analyzes the log file, if picoFIREWALL is installed. However, it could also analyze the logs of other iptables or even ipchains firewalls, if the logging follows some basic rules.

And: let me know, if you like the program (and also, if you do not like it...).


Last Update: 19Apr2005 uk --- Created: 02Jan2003 uk