sfirescan

sfirescan

linux-logo

The development of 'sfirescan' has been ceased now. We had problems with SuSEfirewall2 since version 3.1-26 on SuSELinux 8.1: we got duplicated entries in the logfile for the same packet: first it was logged to be accepted (ACCEPT), then to be dropped (DROP).
Now we successfully use picoFIREWALL and picoFIRESCAN as monitoring tool.


It is now safe to download, install and run this program - several bugs have been fixed. Version 0.91, 26Oct2001
Newest version: 0.97, 29Sep2002
See at the bottom of this page, what's new in this version.

The following information applies, if you are running SuSE Linux 7.2, 7.3 or 8.0 - I am not sure, whether it is running on other operating systems! However, you may try it, since nothing on your system will be changed and the only new files created will be below the sfirescan directory (and temporarily on the /tmp directory).

SFIRESCAN is a software, which analyzes the file /var/log/firewall, created if the software SuSEfirewall or SuSEfirewall2 is installed and activated.

SFIRESCAN detects suspicious high numbers of packets arriving at your machine and displays the resultes on a web-page. It also gives access to a full list of the last several hundred packets to your machine.

Because the logfile /var/log/firewall is somewhat difficult to read by humans, SFIRESCAN translates this file to a much better readable output. For instance, the output of SuSEfirewall (/var/log/firewall) will look as follows:

Sep 30 08:08:47 bora kernel: Packet log: input DENY eth0 PROTO=6 211.158.6.20:1794 129.132.53.5:111 L=60 S=0x00 I=2107 F=0x4000 T=45 SYN (#59)
Sep 30 08:25:10 bora kernel: Packet log: input DENY eth0 PROTO=1 129.132.40.56:8 129.132.53.5:0 L=40 S=0x00 I=52871 F=0x0000 T=253 (#121)
Sep 30 08:59:29 bora kernel: Packet log: input DENY eth0 PROTO=6 129.15.210.92:2795 129.132.53.5:80 L=48 S=0x00 I=61666 F=0x4000 T=115 SYN (#124)
Sep 30 09:06:26 bora kernel: Packet log: input ACCEPT eth0 PROTO=6 129.132.53.3:880 129.132.53.5:1024 L=44 S=0x00 I=43334 F=0x4000 T=64 SYN (#14)
Sep 30 09:29:03 bora kernel: Packet log: input DENY eth0 PROTO=1 129.132.40.56:8 129.132.53.5:0 L=40 S=0x00 I=37690 F=0x0000 T=253 (#121)
Sep 30 10:06:26 bora kernel: Packet log: input ACCEPT eth0 PROTO=6 129.132.53.3:768 129.132.53.5:1024 L=44 S=0x00 I=40139 F=0x4000 T=64 SYN (#14)
SFIRESCAN translates them into the following form:
#                                                                                                 Life                
#AC/DE Date   Time     Source                                  Source Port               Protocol Time Destination Port
#
DENY   Sep 30 08:08:47 211.158.6.20                            cera-bcm 1794/tcp         6-tcp   T=45  sunrpc 111/tcp 
DENY   Sep 30 08:25:10 baloo.ethz.ch                           ? 8                       1-icmp  T=253 ? 0 (ping)     
DENY   Sep 30 08:59:29 ip-129-15-210-92.kraettli.ou.edu        ? 2795                    6-tcp   T=115 http 80/tcp    
ACCEPT Sep 30 09:06:26 wave.ethz.ch                            ? 880                     6-tcp   T=64  ? 1024         
DENY   Sep 30 09:29:03 baloo.ethz.ch                           ? 8                       1-icmp  T=253 ? 0 (ping)     
ACCEPT Sep 30 10:06:26 wave.ethz.ch             

Using SuSEfirewall2, things will look similarly and the output of SFIRESCAN will also look similarly (with SuSEfirewall2, packets which are not accepted, will then usually appear as 'DROP'ed insted of 'DENY'ed). However, the newest version of SFIRESCAN has e.g. more details on ICMP-packets arriving and it generally treats packets more appropriately.

Download sfirescan.tar.gz here. Read also the file README.sfirescan.

Go to your directory, below which SFIRESCAN should be installed (e.g. /app ) and enter the following:
You have to enter the commands (as root, in order to be able to read the file /var/log/firewall)

su -
(enter root-password)
gunzip sfirescan.tar.gz
tar xvf sfirescan.tar
cd sfirescan
./install
./sfirescan
In order to have the program scheduled every hour, enter the following:
cp sfirescan_cron /etc/cron.hourly/.

The results can be viewed via a web-browser looking at the file sfirescan/work/homepage.html

And: let me know, if you like the program (and also, if you do not like it...).

New in version 0.97:
- Fixed various bugs; and delete input-file part after '[' in the firewall file
New in version 0.93:
- Allow new installation without deleting information of older versions
- Allow to specify, how many lines should appear in the FullList
  (see file sfirescan.cfg)
New in version 0.92:
- Support services in /etc/services without protocol (e.g.: swx 7300-7390)
New in version 0.9:
- The file trusted.hosts - entries of hosts in this file do not appear in bold
  on the web-pages, so you can more easily identify 'unknown' hosts having
  sent a packet to your machine
- The order of the entries in the file suspicious.html is now inverted: the
  newest entries appear on top

Things to be implemented: - Automatic e-mail notification if a suspicious number of packets per minute arrives.


Last Update: 02Jan2003 uk --- Created: 30Sep2001 uk