sfirelog

sfirelog (Version 0.2)

linux-logo

Read this page - but then change and switch to the SFIRESCAN web-page for a better solution!!!

SuSEfirewall writes its output (also) to the file /var/log/messages. The program sfirelog reads this file, extracts the output of SuSEfirewall and produces an output which is readable and gives information about which domains tried to access your machine.
A good site for more information is http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html; a short description of what the entries in the log-file mean, is included at the bottom of this page.
Useful information can also be found on http://www.robertgraham.com/pubs/firewall-seen.html.
sfirelog was tested on SuSE Linux 7.2 and it needs the GNU Fortran compiler g77 in order to compile/install the program. g77 is part of the SuSE Linux distribution and can easily be installed.

A typical output of 'sfirelog' looks as follows:

ACCEPT Jul 24 21:06:28 bootp-47-96.bootp.Virginia.EDU          ftp 21/tcp                6-tcp   T=112 ftp 21/tcp
DENY   Jul 26 00:31:37 ppp-102-231.21-151.libero.it            telnet 23/tcp             6-tcp   T=127 telnet 23/tcp
DENY   Jul 26 14:51:40 adsl839.turboline.be                    ? 8                       1-icmp  T=106 ? 0 (ping)

You recognize, that one domain tried to establish an ftp-connection to your machine, another one tried a telnet connection and the third sent a ping to you.

The program and an installation script can be downloaded here: Download sfirelog.f

Then you have to enter the command (as root, in order to write into the directory /usr/local/bin): ./install_sfirelog
The easiest way to run the program is then:

su -
(enter the root password)
cd /var/log
sfirelog

If you do not trust the program, you may copy the file /var/log/messages to any directory and run the program sfirelog as a regular user.
Note: If you are connected to the internet, the domain-addresses can be resolved, if you use the -r option, otherwiese only the IP-addresses appear.
The output is written to the standard output (your screen). Should the output be written to a file, enter: sfirelog > sfirelog.out
sfirelog also writes some comments; should you not like these comments, enter sfirelog | grep -v ^# and the comments will be suppressed.
Should you like to get information only about 'denied accesses', enter sfirelog | grep ^DENY

The new version 0.2 now does not resolve the IP-numbers as default, because this takes a lot of time (usually many minutes). However, if you would like to resolve the IP-numbers in the output, start sfirelog with the options

 --resolve   or  -r   :    sfirewall -r

Then sfirewall will try to resolve the domain addresses from the IP-numbers (if you are connected to the internet only).

Any hints/suggestions on how to improve this program are most welcome! The program 'sfirelog' will only be developed further if I receive comments/suggestions.

The following description is from: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html

The kernel logs this information looking like:
 
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
            L=34 S=0x00 I=18 F=0x0000 T=254
 
This log message is designed to be terse, and contain technical
information useful only to networking gurus, but it can be useful to the
rest of us. It breaks down like so:
 
    1.`input' is the chain which contained the rule which matched the packet,
       causing the log message.
    2.`DENY' is what the rule said to do to the packet. If this is `-'
       then the rule didn't effect the packet at all (an accounting rule).
    3.`eth0' is the interface name. Because this was the input chain, it
       means that the packet came in `eth0'.
    4.`PROTO=17' means that the packet was protocol 17. A list of protocol
       numbers is given in `/etc/protocols'. The most common are 1
       (ICMP), 6 (TCP) and 17 (UDP).
    5.`192.168.2.1' means that the packet's source IP address was 192.168.2.1.
    6.`:53' means that the source port was port 53. Looking in
      `/etc/services' shows that this is the `domain' port (ie. this is probably
      an DNS reply). For UDP and TCP, this number is the source port. For ICMP,
      it's the ICMP type. For others, it will be 65535.
    7.`192.168.1.1' is the destination IP address.
    8.`:1025' means that the destination port was 1025. For UDP and TCP,
      this number is the destination port. For ICMP, it's the ICMP
      code. For others, it will be 65535.
    9.`L=34' means that packet was a total of 34 bytes long.
   10.`S=0x00' means the Type of Service field (divide by 4 to get the Type
      of Service as used by ipchains).
   11.`I=18' is the IP ID.
   12.`F=0x0000' is the 16-bit fragment offset plus flags. A value starting
      with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2'
      or `0x3' means the `More Fragments' bit is set; expect more
      fragments after this. The rest of the number is the offset of this
      fragment, divided by 8.
   13.`T=254' is the Time To Live of the packet. One is subtracted from
      this value for every hop, and it usually starts at 15 or 255.
   14.`(#5)' there may be a final number in brackets on more recent kernels
      (perhaps after 2.2.9). This is the rule number which caused the
      packet log.

Last Update: 30Sep2001 uk Created: 30Jul2001