The development of 'sfirescan' has been ceased now. We had problems with
SuSEfirewall2 since version 3.1-26 on SuSELinux 8.1: we got duplicated entries
in the logfile for the same packet: first it was logged to be accepted (ACCEPT),
then to be dropped (DROP).
Now we successfully use picoFIREWALL and picoFIRESCAN as monitoring tool.
The following information applies, if you are running SuSE Linux 7.2, 7.3 or 8.0 - I am not sure, whether it is running on other operating systems! However, you may try it, since nothing on your system will be changed and the only new files created will be below the sfirescan directory (and temporarily on the /tmp directory).
SFIRESCAN is a software, which analyzes the file /var/log/firewall, created if the software SuSEfirewall or SuSEfirewall2 is installed and activated.
SFIRESCAN detects suspicious high numbers of packets arriving at your machine and displays the resultes on a web-page. It also gives access to a full list of the last several hundred packets to your machine.
Because the logfile /var/log/firewall is somewhat difficult to read by humans, SFIRESCAN translates this file to a much better readable output. For instance, the output of SuSEfirewall (/var/log/firewall) will look as follows:
Sep 30 08:08:47 bora kernel: Packet log: input DENY eth0 PROTO=6 188.8.131.52:1794 184.108.40.206:111 L=60 S=0x00 I=2107 F=0x4000 T=45 SYN (#59) Sep 30 08:25:10 bora kernel: Packet log: input DENY eth0 PROTO=1 220.127.116.11:8 18.104.22.168:0 L=40 S=0x00 I=52871 F=0x0000 T=253 (#121) Sep 30 08:59:29 bora kernel: Packet log: input DENY eth0 PROTO=6 22.214.171.124:2795 126.96.36.199:80 L=48 S=0x00 I=61666 F=0x4000 T=115 SYN (#124) Sep 30 09:06:26 bora kernel: Packet log: input ACCEPT eth0 PROTO=6 188.8.131.52:880 184.108.40.206:1024 L=44 S=0x00 I=43334 F=0x4000 T=64 SYN (#14) Sep 30 09:29:03 bora kernel: Packet log: input DENY eth0 PROTO=1 220.127.116.11:8 18.104.22.168:0 L=40 S=0x00 I=37690 F=0x0000 T=253 (#121) Sep 30 10:06:26 bora kernel: Packet log: input ACCEPT eth0 PROTO=6 22.214.171.124:768 126.96.36.199:1024 L=44 S=0x00 I=40139 F=0x4000 T=64 SYN (#14)SFIRESCAN translates them into the following form:
# Life #AC/DE Date Time Source Source Port Protocol Time Destination Port # DENY Sep 30 08:08:47 188.8.131.52 cera-bcm 1794/tcp 6-tcp T=45 sunrpc 111/tcp DENY Sep 30 08:25:10 baloo.ethz.ch ? 8 1-icmp T=253 ? 0 (ping) DENY Sep 30 08:59:29 ip-129-15-210-92.kraettli.ou.edu ? 2795 6-tcp T=115 http 80/tcp ACCEPT Sep 30 09:06:26 wave.ethz.ch ? 880 6-tcp T=64 ? 1024 DENY Sep 30 09:29:03 baloo.ethz.ch ? 8 1-icmp T=253 ? 0 (ping) ACCEPT Sep 30 10:06:26 wave.ethz.ch
Using SuSEfirewall2, things will look similarly and the output of SFIRESCAN will also look similarly (with SuSEfirewall2, packets which are not accepted, will then usually appear as 'DROP'ed insted of 'DENY'ed). However, the newest version of SFIRESCAN has e.g. more details on ICMP-packets arriving and it generally treats packets more appropriately.
Download sfirescan.tar.gz here. Read also the file README.sfirescan.
Go to your directory, below which SFIRESCAN should be installed (e.g. /app )
and enter the following:
You have to enter the commands (as root, in order to be able to read the file /var/log/firewall)
su - (enter root-password) gunzip sfirescan.tar.gz tar xvf sfirescan.tar cd sfirescan ./install ./sfirescanIn order to have the program scheduled every hour, enter the following:
cp sfirescan_cron /etc/cron.hourly/.
The results can be viewed via a web-browser looking at the file sfirescan/work/homepage.html
And: let me know, if you like the program (and also, if you do not like it...).
New in version 0.97: - Fixed various bugs; and delete input-file part after '[' in the firewall file New in version 0.93: - Allow new installation without deleting information of older versions - Allow to specify, how many lines should appear in the FullList (see file sfirescan.cfg) New in version 0.92: - Support services in /etc/services without protocol (e.g.: swx 7300-7390) New in version 0.9: - The file trusted.hosts - entries of hosts in this file do not appear in bold on the web-pages, so you can more easily identify 'unknown' hosts having sent a packet to your machine - The order of the entries in the file suspicious.html is now inverted: the newest entries appear on top
Things to be implemented: - Automatic e-mail notification if a suspicious number of packets per minute arrives.