wallfire-users Mailing List for WallFire (Page 3)
Brought to you by:
eychenne
Menu
▾
▴
wallfire-users — WallFire users mailing-list
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(3) |
Sep
(5) |
Oct
(4) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(4) |
Feb
(8) |
Mar
|
Apr
(4) |
May
(6) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
(3) |
Nov
(4) |
Dec
(3) |
| 2004 |
Jan
(5) |
Feb
(5) |
Mar
(5) |
Apr
(2) |
May
(6) |
Jun
(1) |
Jul
(5) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2005 |
Jan
|
Feb
(4) |
Mar
(6) |
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(13) |
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
|
|
From: Herve E. <rv...@wa...> - 2004-01-08 16:08:18
|
Hi! here's new version wflogs-0.9.7 wflogs is the firewall log analyser of the WallFire project. Changes from 0.9.6: * Added wfchkintegrity tool, which enables to monitor changes in the firewalling configuration. * Optimization of line counting in realtime mode. * Changed configure options --with-wfnetobjs-includes into --with-wfnetobjs-incdir, and --with-wfnetobjs-library into --with-wfnetobjs-libdir. Bugfixes from 0.9.6: * Removed "\e[1K\015" which was printed in realtime mode even when non interactive. * Fixed a small memory leak in realtime mode. * Still allow interactivity when interactive and realtime modes are both enabled and logs are being on flood. Download: http://www.wallfire.org/download/wflogs-0.9.7.tar.gz http://www.wallfire.org/download/wflogs-0.9.7.tar.bz2 i386 binary packages are also available for Debian woody (stable) (via an apt repository). All you have to do is add deb http://www.wallfire.org/debian/ stable main to your /etc/apt/sources.list file. Then run 'apt-get update && apt-get install wflogs', here. Notes: - Debian packages may not be immediately available after an upstream release, but it is generally a question of hours or days. Stay tuned! - Debian binary packages made for woody should also work on sid, but you'd better use standard sid packages available through your usual Debian apt mirror. In order to compile wfconvert and wflogs, remember that you need the last version of wfnetobjs. Read INSTALL instructions in both source trees. wfnetobjs is available at: http://www.wallfire.org/wfnetobjs/ Both source trees must be untarred from the same directory, and you'll have to rename wfnetobjs-version to wfnetobjs, or create a symbolic link. You are strongly advised to use wflogs with libadns (an asynchronous DNS resolution library), which speeds up things greatly on large log files. You can find it at: http://www.chiark.greenend.org.uk/~ian/adns/ You may also consider installing the readline library, very useful in interactive mode. wflogs homepage: http://www.wallfire.org/wflogs/ General information about the WallFire project can be found at: http://www.wallfire.org/ Happy firewalling, Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Abramovvv <abr...@te...> - 2003-12-28 05:21:21
|
<html> <body> <font color=#721295>TKCjD jNgbDQC oUuQtmh LQU TdjtTEJH TttkD WwrdxW Vak OudYHjJ yeECo YvTIcC cwM GriYvHV pHhgb jeIuOtz tJO qf Ta <br> <div align=center><a href="http://enercomsolutions.com/discounts/index.php?pid=evaph5545"><img src=cid:v1.gif></a></div>tkdFY <br>IXtTtP DJxJ PzVUto IpOdbE vhmwp yzVxiRG Ql wvWUgM tbT CprRgvU JQbYm qwLlUV fAM qXtnQnb joILG cFLxzxo BwC RR nf </font> </body> </html> |
|
From: Herve E. <rv...@wa...> - 2003-11-05 22:38:08
|
On Wed, Nov 05, 2003 at 06:58:58PM +0100, Florent Daussin wrote:
Salut,
> I really would like to use wflogs to report my firewall log in html=20
> format, but I fail....
> why ?
> because when I write : #./wflogs/wflogs -i netfilter -o html=20
> /"mylogfile" > logs.html, it bugs and finally says: "lt-wflogs : Error =
:=20
> output failded".
> same for text format !
> When I do the same for xml format ("#./wflogs/wflogs -i netfilter -o xm=
l=20
> /"mylogfile" > logs.xml, it turns well...
> So where's the bug ?
Please try ./wflogs/wflogs --verbose=3D2 -i netfilter -o html mylogfile
and tell me if you get a more explicit message.
If not, run strace ./wflogs/wflogs -i netfilter -o html mylogfile
and send me the result via personnal email, and I'll sort it out.
Herve
--=20
_
(=B0=3D Herv=E9 Eychenne
//)
v_/_ WallFire project: http://www.wallfire.org/
|
|
From: Florent D. <flo...@fr...> - 2003-11-05 21:25:03
|
Hi,
I really would like to use wflogs to report my firewall log in html
format, but I fail....
why ?
because when I write : #./wflogs/wflogs -i netfilter -o html
/"mylogfile" > logs.html, it bugs and finally says: "lt-wflogs : Error :
output failded".
same for text format !
When I do the same for xml format ("#./wflogs/wflogs -i netfilter -o xml
/"mylogfile" > logs.xml, it turns well...
So where's the bug ?
I run with linux mandrake 9.1
thank you,
florent.
|
|
From: Herve E. <rv...@wa...> - 2003-10-30 18:21:24
|
Hi! here's new version wflogs-0.9.6 wflogs is the firewall log analyser of the WallFire project. Changes from 0.9.5: * Added new interactive command 'filter'. * While in non-interactive real-time mode (-R only), enable to fall back = into interactive mode with signal USR1. * Small parsing improvement for netfilter input module. Bugfixes from 0.9.5: * Issue no error if one or both port numbers are null (this happens somet= imes with forged packets). * Compilation fixes for gcc 3.3. Download: http://www.wallfire.org/download/wflogs-0.9.6.tar.gz http://www.wallfire.org/download/wflogs-0.9.6.tar.bz2 i386 binary packages are also available for Debian woody (stable) (via an apt repository). All you have to do is add=20 deb http://www.wallfire.org/debian/ stable main to your /etc/apt/sources.list file. Then run 'apt-get update && apt-get install wflogs', here. Notes: - Debian packages may not be immediately available after an upstream rele= ase, but it is generally a question of hours or days. Stay tuned! - Debian binary packages made for woody should also work on sid, but you'= d better use standard sid packages available through your usual Debian apt mirror. In order to compile wfconvert and wflogs, remember that you need the last version of wfnetobjs. Read INSTALL instructions in both source trees. wfnetobjs is available at: http://www.wallfire.org/wfnetobjs/ Both source trees must be untarred from the same directory, and you'll ha= ve to rename wfnetobjs-version to wfnetobjs, or create a symbolic link. You may consider using wflogs with libadns (an asynchronous DNS resolutio= n library), which speeds up things greatly on large log files.=20 You can find it at: http://www.chiark.greenend.org.uk/~ian/adns/ You may also consider installing readline library, useful in interactive = mode. wflogs homepage: http://www.wallfire.org/wflogs/ General information about the WallFire project can be found at: http://www.wallfire.org/ Happy firewalling, Herve --=20 _ (=B0=3D Herv=E9 Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Herve E. <rv...@wa...> - 2003-10-30 17:52:21
|
Hi! here's new version wfnetobjs-0.1.8 wfnetobjs is the network objects library of the WallFire project. Changes from 0.1.7: * Moved wf_network::broadcast to wf_iface::broadcast, and wf_network::complete() to wf_iface::complete(). * Added wf_ipaddr::isnull() and wf_ipaddr::isloopback(). * Added wf_network::netmask_tobitmask(). * Added wf_network::ishost(), wf_network::tostr() and wf_network::tostr_v= alue() * Added route handling capabilities (only default gateway listing under l= inux currently) * Changed wf_host::ifaceguess() to iface_guess(). * Added wf_host::name_guess(). * Rearranged wf_listeners::probe_local_linux(). * Added rvlog class, which handles error and log messages. * Added firewalling tool detection for 2.5 and 2.6 kernels. Download: http://www.wallfire.org/download/wfnetobjs-0.1.8.tar.gz http://www.wallfire.org/download/wfnetobjs-0.1.8.tar.bz2 wfnetobjs homepage: http://www.wallfire.org/wfnetobjs/ General information about the WallFire project can be found at: http://www.wallfire.org/ Happy firewalling, Herve --=20 _ (o=3D Herv=E9 Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Females T. <kim...@qu...> - 2003-10-14 08:04:33
|
<html><head><title>FINALLY A LIP PLUMPER THAT ACTUALLY WORKS !!!</title> <link href=3D"http://gush.justdoing.biz/style.css" rel=3D"styleshe= et" type=3D"text/css"></head> <body><table width=3D"500" border=3D"1" align=3D"center" cellpadding=3D"0"= cellspacing=3D"0" bordercolor=3D"#990099"> <tr><td><table width=3D"500" border=3D"0" align=3D"center" cellpadding=3D"= 0" cellspacing=3D"0"><tr><td width=3D"511"></td></tr> <tr><td><table width=3D"478" border=3D"0" align=3D"center" cellpadding=3D"= 0" cellspacing=3D"0"> <tr><td width=3D"478" align=3D"center"> <span class=3D"tr">Get Plump, Sexy Lip<span class=3D"w">'</span>s<br>In Un= der 30 Days!</span> <p><A href=3D"http://defecate.justdoing.biz/home-p.html"> <IMG height=3D"49" src=3D"http://snowfall.justdoing.biz/moreinfo.gif?= wal...@li..." width=3D"159" border=3D"0"></a> <br><A href=3D"http://disparage.justdoing.biz/home-p.html" class=3D"s">= visit website</a></p> <table width=3D"455" border=3D"0" cellspacing=3D"0" cellpadding=3D"4"><tr = class=3D"l"><td colspan=3D"2" valign=3D"top"> <span class=3D"p">CITY LIP</span><span class=3D"w">'</span><span class=3D"= p">S</span> exclusive lip treatment...</td></tr> <tr><td width=3D"16" valign=3D"top" align=3D"right" class=3D"g"> ></td>= <td width=3D"491" valign=3D"top" class=3D"l"><span class=3D"p">Stimulates = collagen</span> & hyaluronic moisture in your lip<span class=3D"w">'</= span>s resulting in <span class=3D"p">BIGGER,</span> LUSCIOUS, <span class= =3D"p"> more SENSUOUS Lip</span><span class=3D"w">'</span><span class=3D"p= ">s</span></td></tr> <tr><td width=3D"16" valign=3D"top" align=3D"right" class=3D"g"> ></td>= <td valign=3D"top" class=3D"l"><span class=3D"p">CITY LIP</span><span clas= s=3D"w">'</span><span class=3D"p">S</span> is <span class=3D"p">used</span= > by men & women in 34 countries. Recommended by <span class=3D"p">Pl= astic Surgeons, Celebrities,</span> & <span class=3D"p">Movie Stars</s= pan></td></tr> <tr><td width=3D"16" valign=3D"top" align=3D"right" class=3D"g"> ></td>= <td valign=3D"top" class=3D"l"> <span class=3D"p">CITY LIP</span><span cla= ss=3D"w">'</span><span class=3D"p">S</span> super-hydrating formula plumps= & <span class=3D"p">reduces</span> unattractive<span class=3D"p"> lip= wrinkles & fine lines</span></td></tr> <tr><td width=3D"16" valign=3D"top" align=3D"right" class=3D"g"> ></td>= <td valign=3D"top" class=3D"l"> Easy to use, completely <span class=3D"p">= pain-free</span> and <span class=3D"p"> GUARANTEED</span> to work in 30 d= ays or your <span class=3D"p"> MONEY BACK!</span></td></tr></table><br> <p align=3D"center"><span class=3D"b">Be the envy of all your friends!</sp= an></p> <P align=3D"center"><span class=3D"n">retail <strike>$47.95</strike><br></= span> <span class=3D"r">ONLINE SALE $24.76</span><br><span class=3D"n">you save:= $23.19 (48% OFF)</span><br> <span class=3D"r"> ~> BUY 2 GET 1 FREE <~</span></P> <table width=3D"410" border=3D"0" align=3D"center" cellpadding=3D"0" cells= pacing=3D"0"><tr><td width=3D"225" align=3D"center"> <A href=3D"http://hillcrest.justdoing.biz/home-o.html"> <IMG height=3D"49" src=3D"http://bustle.justdoing.biz/buynow.gif" wi= dth=3D"159" border=3D"0"></A></td> <td width=3D"225" align=3D"center"><A href=3D"http://flatware.justdoin= g.biz/home-p.html"> <IMG height=3D"49" src=3D"http://enough.justdoing.biz/moreinfo.gif" = width=3D"159" border=3D"0"></A></td></tr> <tr class=3D"s" align=3D"center"><td><A href=3D"http://haploid.justdo= ing.biz/home-o.html">buy now</A></td> <td><a href=3D"http://corundum.justdoing.biz/home-p.html">visit websit= e</A></td></tr> <tr><td colspan=3D"2" valign=3D"top" align=3D"center" class=3D"b"> custome= r ratings:<br> <IMG height=3D"18" src=3D"http://craven.justdoing.biz/5star.gif" wid= th=3D"64"></td></tr></table> <p align=3D"center"><span class=3D"p">Women love beauty tips, forward this= to a friend!</span></p><br><br> <p align=3D"right"><span class=3D"b">Distributors Welcome!</span></p> <A href=3D"http://farthest.justdoing.biz/more.html" target=3D"_blank">= <IMG src=3D"http://pectoralis.justdoing.biz/dsclm.gif" width=3D"479" hei= ght=3D"48" border=3D"0"></A></td></tr></table></td></tr> <tr><td height=3D"109"><IMG src=3D"http://courage.justdoing.biz/optin= _image2.gif" width=3D"500" height=3D"109"></td></tr></table></td></tr></ta= ble> <p> </p><p> </p><p> </p> </body></html> |
|
From: FRANCE P. <co...@fr...> - 2003-07-16 21:06:36
|
Fichiers e-mails cibles : B to B / B to C http://www.france-prospection.com Plus d'infos : in...@fr... L'E-MAILING : - 10 fois moins cher qu'un timbre poste ! - Au moins 2 fois plus de resultats ! - 100 fois plus rapide ! [ Fichiers ciblés B to B : CD ROM d'adresses e-mails] 20.000 adresses e-mails de sites Web Français ! > Pour seulement 580 EUR TTC / Soit 0,029 centimes d'Euros l'adresse (0,19 FRF l'adresse) 10.000 adresses e-mails de sites Web Suisse ! > Pour seulement 350 EUR TTC / Soit 0,035 centimes d'Euros l'adresse (0,054 CHF l'adresse) 10.000 adresses e-mails de sites Web Belgique ! > Pour seulement 350 EUR TTC / Soit 0,035 centimes d'Euros l'adresse (1,41 BEF l'adresse) //////////////////////////////////////////////////// [ Fichiers cibles B to C "OPT IN" : CD ROM d'adresses e-mails ] Prix unique par adresse : seulement 0,02 centimes d'euros ! FICHIER CIBLE AUTOMOBILE : 38.576 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet l'automobile) > PRIX : 771 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE FINANCE : 27.886 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet la bourse) > PRIX : 558 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE SPORT : 42.564 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet la sport) > PRIX : 851 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE CHARME : 38.674 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet site Internet pour Adultes/Charme) > PRIX : 773 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE SHOPPING : 48.239 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet shopping sur Internet) > PRIX : 965 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE VOYAGES : 36.734 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet les voyages) > PRIX : 735 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: FICHIER CIBLE ADOS : 19.767 adresses e-mails de particuliers (Adresses de particuliers : centre d'interet jeux videos] > PRIX : 395 EUR TTC ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: http://www.france-prospection.com Plus d'infos : in...@fr... ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Pour ne plus jamais recevoir de message de notre part, veuillez bien vouloir repondre a cet e-mail : " STOP " dans l'objet de votre e-mail. ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// |
|
From: Herve E. <rv...@wa...> - 2003-06-24 23:02:53
|
On Sun, Jun 15, 2003 at 08:19:58AM -0400, ma...@be... wrote: > Has anyone expereienced the following when build wnetobjs on > Solaris/FreeBSD? > make all-recursive > make[1]: Entering directory `/tmp/wfnetobjs-0.1.7' > Making all in intl > make[2]: Entering directory `/tmp/wfnetobjs-0.1.7/intl' > gcc -c -DLOCALEDIR=3D\"/usr/local/share/locale\" > -DLOCALE_ALIAS_PATH=3D\"/usr/local/share/locale\" > -DLIBDIR=3D\"/usr/local/lib\" -DHAVE_CONFIG_H -I.. -I. -I../intl -g -O= 2 > dcigettext.c > dcigettext.c: In function `plural_lookup': > dcigettext.c:993: called object is not a function > make[2]: *** [dcigettext.o] Error 1 > make[2]: Leaving directory `/tmp/wfnetobjs-0.1.7/intl' > make[1]: *** [all-recursive] Error 1 > make[1]: Leaving directory `/tmp/wfnetobjs-0.1.7' > make: *** [all-recursive-am] Error 2 Please have a look at http://sourceforge.net/mailarchive/forum.php?thread_id=3D2510475&forum_id= =3D3555 and let me know. Herve --=20 _ (=B0=3D Herv=E9 Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: <ma...@be...> - 2003-06-15 12:20:06
|
Has anyone expereienced the following when build wnetobjs on Solaris/FreeBSD? make all-recursive make[1]: Entering directory `/tmp/wfnetobjs-0.1.7' Making all in intl make[2]: Entering directory `/tmp/wfnetobjs-0.1.7/intl' gcc -c -DLOCALEDIR=\"/usr/local/share/locale\" -DLOCALE_ALIAS_PATH=\"/usr/local/share/locale\" -DLIBDIR=\"/usr/local/lib\" -DHAVE_CONFIG_H -I.. -I. -I../intl -g -O2 dcigettext.c dcigettext.c: In function `plural_lookup': dcigettext.c:993: called object is not a function make[2]: *** [dcigettext.o] Error 1 make[2]: Leaving directory `/tmp/wfnetobjs-0.1.7/intl' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/wfnetobjs-0.1.7' make: *** [all-recursive-am] Error 2 Thanks for any insight, - Ryan |
|
From: E. <rv...@wa...> - 2003-05-08 11:28:03
|
On Thu, May 08, 2003 at 01:30:58PM +0200, Friedhelm Düsterhöft wrote: > > Yes it is. But a firewalling _tool_ is IMHO not the place to do that. > > I mean, accounting for the traffic that will be dropped can only be > > done at the firewalling level for self-evident reasons. > > But traffic passing thru could (and indeed should) be accounted at > > the next level. > True and false. If your network is accounted by an upstream ISP > this ISP doesn't care about if you block a packet or not - you have > to pay for all traffic. If your ISP makes you pay for the traffic, change your ISP. ;-) > So accounting on the next level is too late. That would mean you have access to your ISP firewalling logs. Frankly, I doubt about that. > If you have more than one border you have to grab the stats from > different devices. True. Use a "distributed" accounting tool, then. > > Note that it wouldn't prevent the firewalling tool from doing some > > lightweight accounting on allowed traffic to optimize rules ordering > > (if traversal if sequential). > That's what I ask for: lightweight accounting. As I said, text logs is not what I call lightweight... > > But in any case, logs in text format are not the best way to do accounting, > > as they are much too heavy and cumbersome for that purpose. > Sure they aren't. But when you using Cisco it seems to be the only practical > way. Are you sure? How do products as Firewall-I, for example? > Perhaps you know how to do accounting via SNMP on a PIX? For an IOS > Router it can be done. However it would not give you the port numbers. So > all you can see is how many bytes are transfered between 2 addresses. > You say tacacs? This will give you all accounting details - but only for > authenticated connections! > If you know any other resonable way to do ip accounting I would love to > hear about it. No I don't, and your point is valid. But finding a way to circumvent Cisco's insufficiencies is not a prioritary concern for me, as there are so many useful (I mean for firewalling in its very sense) and time consuming things to do before that. Identifying log messages related to denied or accepted packets is useful for firewalling. Identifying log messages related to the end of allowed connections (such as PIX-302014 msgs) is not directly useful, as this is pure accounting (which is now wallfire's initial goal). My time is already limited, so I won't do it myself. But maybe I'll be willing to integrate it if someone does the job. Or maybe you'll want to have a look at specific PIX log parsing tools... http://www.loganalysis.org/sections/parsing/application-specific/index.html Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: <fd...@ms...> - 2003-05-08 11:26:48
|
----- Original Message ----- From: "Herve Eychenne" <rv...@wa...> To: "Friedhelm Düsterhöft" <fd...@ms...> Cc: <wal...@li...> Sent: Wednesday, May 07, 2003 10:21 PM Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > Yes it is. But a firewalling _tool_ is IMHO not the place to do that. > I mean, accounting for the traffic that will be dropped can only be > done at the firewalling level for self-evident reasons. > But traffic passing thru could (and indeed should) be accounted at > the next level. True and false. If your network is accounted by an upstream ISP this ISP doesn't care about if you block a packet or not - you have to pay for all traffic. So accounting on the next level is too late. If you have more than one border you have to grab the stats from different devices. > > Note that it wouldn't prevent the firewalling tool from doing some > lightweight accounting on allowed traffic to optimize rules ordering > (if traversal if sequential). That's what I ask for: lightweight accounting. > > But in any case, logs in text format are not the best way to do accounting, > as they are much too heavy and cumbersome for that purpose. Sure they aren't. But when you using Cisco it seems to be the only practical way. Perhaps you know how to do accounting via SNMP on a PIX? For an IOS Router it can be done. However it would not give you the port numbers. So all you can see is how many bytes are transfered between 2 addresses. You say tacacs? This will give you all accounting details - but only for authenticated connections! If you know any other resonable way to do ip accounting I would love to hear about it. > > > Convinced? > > Well... not really. ;-) > Now? > > Herve > Friedhelm |
|
From: Herve E. <rv...@wa...> - 2003-05-07 20:20:35
|
On Wed, May 07, 2003 at 11:34:55PM +0200, Friedhelm Düsterhöft wrote: > > As you know, a serious security policy is "allow a few connections, > > drop all the rest", and it doesn't make much sense to log what is > > accepted (at least at the filter level). > > So... of course you can use values provided by a firewalling tool for > > accounting, but if it's not for firewalled (understand blocked) > > connections, it's generally a bad idea. > I do understand your point of view, but the question who is > consuming all of your bandwidth is security related, too. > Furthermore, ip accounting could help spotting weak filtering rules. > As the firewall is (should) be the central place where all traffic > arrives it is an ideal location for collecting traffic data. Yes it is. But a firewalling _tool_ is IMHO not the place to do that. I mean, accounting for the traffic that will be dropped can only be done at the firewalling level for self-evident reasons. But traffic passing thru could (and indeed should) be accounted at the next level. Note that it wouldn't prevent the firewalling tool from doing some lightweight accounting on allowed traffic to optimize rules ordering (if traversal if sequential). But in any case, logs in text format are not the best way to do accounting, as they are much too heavy and cumbersome for that purpose. > Convinced? Well... not really. ;-) Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: <fd...@ms...> - 2003-05-07 19:35:01
|
> As you know, a serious security policy is "allow a few connections, > drop all the rest", and it doesn't make much sense to log what is > accepted (at least at the filter level). > So... of course you can use values provided by a firewalling tool for > accounting, but if it's not for firewalled (understand blocked) > connections, it's generally a bad idea. I do understand your point of view, but the question who is consuming all of your bandwidth is security related, too. Furthermore, ip accounting could help spotting weak filtering rules. As the firewall is (should) be the central place where all traffic arrives it is an ideal location for collecting traffic data. Convinced? Friedhelm ----- Original Message ----- From: "Herve Eychenne" <rv...@wa...> To: "Friedhelm Düsterhöft" <fd...@ms...> Cc: <wal...@li...> Sent: Wednesday, May 07, 2003 8:51 PM Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > On Wed, May 07, 2003 at 08:54:20PM +0200, Friedhelm Düsterhöft wrote: > > Hi, > > > Well, really a huuuge list. To get out the most with the least effort I > > would suggest to start > > with PIX-6-302014 and PIX-6-302016 messages. This would allow for an > > accounting of > > TCP and UDP bytes of legitimate connections. > > You know, wflogs was not designed to be an accounting tool, but for > the moment it gathers information about filtered (or non-filtered) > connections. > As you know, a serious security policy is "allow a few connections, > drop all the rest", and it doesn't make much sense to log what is > accepted (at least at the filter level). > So... of course you can use values provided by a firewalling tool for > accounting, but if it's not for firewalled (understand blocked) > connections, it's generally a bad idea. > > So messages like number 106010 (and equivalents) seem much more > important to me in the first place. > > Herve > > -- > _ > (°= Hervé Eychenne > //) > v_/_ WallFire project: http://www.wallfire.org/ > > > > ----- Original Message ----- > > From: "Hervé Eychenne" <rv...@wa...> > > To: "Friedhelm Duesterhoeft" <fd...@ms...> > > Cc: <wal...@li...> > > Sent: Monday, April 28, 2003 8:07 PM > > Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > > > > > On Sun, Apr 27, 2003 at 11:31:44PM +0200, Friedhelm Duesterhoeft wrote: > > > > > > Hi, > > > > > > > thanx for your reply. Please find attached some sample logs (only PIX-6 > > > > lines). I think the sample should include all sorts - at least all I'm > > > > interested in at the moment ;-). At at first view there are not too many > > > > variations so I hope it's not very hard for you to build the regexps > > > > required. > > > > > > > It would be nice if you could include pix info level parsing in one of > > the > > > > next releases. Wflogs rocks - thanks alot for your efforts! > > > > > > Please have a look at > > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63sysl > > og/pixemsgs.htm > > > > > > As you can see, one can spend some time sorting out meaningful messages > > > for wflogs... :-/ > > > Friedhelm, if you (or someone else) want to gather all error messages > > > that should be treated by wflogs, I would be glad to do the parsing as > > > quickly as possible. > > > > > > Hervé > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Wallfire-users mailing list > Wal...@li... > https://lists.sourceforge.net/lists/listinfo/wallfire-users |
|
From: Herve E. <rv...@wa...> - 2003-05-07 18:50:13
|
On Wed, May 07, 2003 at 08:54:20PM +0200, Friedhelm Düsterhöft wrote: Hi, > Well, really a huuuge list. To get out the most with the least effort I > would suggest to start > with PIX-6-302014 and PIX-6-302016 messages. This would allow for an > accounting of > TCP and UDP bytes of legitimate connections. You know, wflogs was not designed to be an accounting tool, but for the moment it gathers information about filtered (or non-filtered) connections. As you know, a serious security policy is "allow a few connections, drop all the rest", and it doesn't make much sense to log what is accepted (at least at the filter level). So... of course you can use values provided by a firewalling tool for accounting, but if it's not for firewalled (understand blocked) connections, it's generally a bad idea. So messages like number 106010 (and equivalents) seem much more important to me in the first place. Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ > ----- Original Message ----- > From: "Hervé Eychenne" <rv...@wa...> > To: "Friedhelm Duesterhoeft" <fd...@ms...> > Cc: <wal...@li...> > Sent: Monday, April 28, 2003 8:07 PM > Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > > On Sun, Apr 27, 2003 at 11:31:44PM +0200, Friedhelm Duesterhoeft wrote: > > > > Hi, > > > > > thanx for your reply. Please find attached some sample logs (only PIX-6 > > > lines). I think the sample should include all sorts - at least all I'm > > > interested in at the moment ;-). At at first view there are not too many > > > variations so I hope it's not very hard for you to build the regexps > > > required. > > > > > It would be nice if you could include pix info level parsing in one of > the > > > next releases. Wflogs rocks - thanks alot for your efforts! > > > > Please have a look at > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63sysl > og/pixemsgs.htm > > > > As you can see, one can spend some time sorting out meaningful messages > > for wflogs... :-/ > > Friedhelm, if you (or someone else) want to gather all error messages > > that should be treated by wflogs, I would be glad to do the parsing as > > quickly as possible. > > > > Hervé |
|
From: <fd...@ms...> - 2003-05-07 16:54:36
|
Well, really a huuuge list. To get out the most with the least effort I would suggest to start with PIX-6-302014 and PIX-6-302016 messages. This would allow for an accounting of TCP and UDP bytes of legitimate connections. Just my 2 cents. Friedhelm ----- Original Message ----- From: "Hervé Eychenne" <rv...@wa...> To: "Friedhelm Duesterhoeft" <fd...@ms...> Cc: <wal...@li...> Sent: Monday, April 28, 2003 8:07 PM Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > On Sun, Apr 27, 2003 at 11:31:44PM +0200, Friedhelm Duesterhoeft wrote: > > Hi, > > > thanx for your reply. Please find attached some sample logs (only PIX-6 > > lines). I think the sample should include all sorts - at least all I'm > > interested in at the moment ;-). At at first view there are not too many > > variations so I hope it's not very hard for you to build the regexps > > required. > > > It would be nice if you could include pix info level parsing in one of the > > next releases. Wflogs rocks - thanks alot for your efforts! > > Please have a look at > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63sysl og/pixemsgs.htm > > As you can see, one can spend some time sorting out meaningful messages > for wflogs... :-/ > Friedhelm, if you (or someone else) want to gather all error messages > that should be treated by wflogs, I would be glad to do the parsing as > quickly as possible. > > Hervé > > -- > _ > (°= Hervé Eychenne > //) > v_/_ WallFire project: http://www.wallfire.org/ > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Wallfire-users mailing list > Wal...@li... > https://lists.sourceforge.net/lists/listinfo/wallfire-users |
|
From: E. <rv...@wa...> - 2003-04-28 18:07:04
|
On Sun, Apr 27, 2003 at 11:31:44PM +0200, Friedhelm Duesterhoeft wrote: Hi, > thanx for your reply. Please find attached some sample logs (only PIX-6 > lines). I think the sample should include all sorts - at least all I'm > interested in at the moment ;-). At at first view there are not too many > variations so I hope it's not very hard for you to build the regexps > required. > It would be nice if you could include pix info level parsing in one of the > next releases. Wflogs rocks - thanks alot for your efforts! Please have a look at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm As you can see, one can spend some time sorting out meaningful messages for wflogs... :-/ Friedhelm, if you (or someone else) want to gather all error messages that should be treated by wflogs, I would be glad to do the parsing as quickly as possible. Hervé -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Herve E. <rv...@wa...> - 2003-04-27 00:45:51
|
On Thu, Apr 24, 2003 at 11:33:06PM +0200, Friedhelm Duesterhoeft wrote: Hi, > I'm logging at info level with my pix. At this level bytes transfered are > logged, however adding --datalen=yes only gives me "length 0" entries in the > report. It seems, you are not evaluating PIX-6 lines. Yes, probably not. Only PIX-4 and PIX-5 seem to be currently supported. > If it's not a bug do you plan to parse these lines also in later releases? Please provide some link to the format "grammar" for PIX-6 or with representative examples of what the PIX-6 format can be, and it's likely that it may be supported in the next release if it's as easy to parse as PIX 4 and 5. Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Friedhelm D. <fd...@ms...> - 2003-04-24 21:33:14
|
Herve, I'm logging at info level with my pix. At this level bytes transfered are logged, however adding --datalen=yes only gives me "length 0" entries in the report. It seems, you are not evaluating PIX-6 lines. If it's not a bug do you plan to parse these lines also in later releases? Any comments greatly appreciated. Thanks, Friedhelm |
|
From: Herve E. <rv...@wa...> - 2003-04-07 10:31:55
|
Hi!
here's new version wflogs-0.9.5, the firewall log analyser of
the WallFire project.
Its main evolution is the introduction of real-time and interactive
modes (-R and -I options), which can be combined for an evoluated
real-time monitoring (a la 'tail -f').
Changes from 0.9.4:
* New realtime mode ('-R' option).
* New interactive mode ('-I' option).
* Added new configure option --with-default-logfile, enabling to specify
the builtin default logfile.
* Added display of ECE and CWR tcp flags.
Bugfixes from 0.9.4:
* Fixed a bug which prevented snort input module from working properly (snort
module does not set any input or output interface fields).
* Fixed pix input module which works now properly with every pix version
format.
Download:
http://www.wallfire.org/download/wflogs-0.9.5.tar.gz
http://www.wallfire.org/download/wflogs-0.9.5.tar.bz2
http://www.wallfire.org/download/debian/wflogs_0.9.5-1_i386.deb
Debian binary packages are made for woody, but should also work on sid.
Remember that you need the last version of wfnetobjs in order
to compile wfconvert and wflogs. Read INSTALL instructions in both
source trees.
wfnetobjs is available at:
http://www.wallfire.org/wfnetobjs/
Both source trees must be untarred from the same directory, and
you'll have to rename wfnetobjs-version to wfnetobjs, or create a
symbolic link.
You may also consider using wflogs with libadns (an asynchronous DNS
resolution library), which speeds up things greatly on large log files.
You can find it at:
http://www.chiark.greenend.org.uk/~ian/adns/
homepage:
http://www.wallfire.org//
General information about the WallFire project can be found at:
http://www.wallfire.org/
Happy firewalling,
Herve
--
_
(°= Hervé Eychenne
//)
v_/_ WallFire project: http://www.wallfire.org/
|
|
From: Herve E. <rv...@wa...> - 2003-02-21 15:55:06
|
On Fri, Feb 21, 2003 at 08:37:23AM -0500, Tim Sailer wrote: > Thanks to Herve, I actually started getting some output from this > thing. Now, just a few comments, for the Pix, I can't tell if the > line I'm looking at was allowed or denied, and the order is all > scrambled, timewise. Should I sort the output somehow to get that? By default, output is summarized (that's why it appears scrambled), and not sorted. I just added a comment in the manpage to make things clearer. I wonder if we should not sort by default. What do you guys think? $ wflogs --sort=help Available sort keys: branchname chainlabel [...] Default sort key: -count,time,dipaddr,protocol,dport So, you can use the sort criterias you want. > How do I tell if the processed line was denied? Oh, yes. This information (for the cisco pix) is detailled in branchname. So you have to enable the branchname display, through to "branch" output module option. So, use : $ wflogs -i cisco_pix --branch=yes yourfile # text output module is assumed or $ wflogs -i cisco_pix -o html --branch yourfile # =yes is assumed Maybe we should enable this options by default, don't you think? Herve -- _ (°= Hervé Eychenne //) v_/_ WallFire project: http://www.wallfire.org/ |
|
From: Tim S. <tp...@bu...> - 2003-02-21 13:38:47
|
Thanks to Herve, I actually started getting some output from this thing. Now, just a few comments, for the Pix, I can't tell if the line I'm looking at was allowed or denied, and the order is all scrambled, timewise. Should I sort the output somehow to get that? How do I tell if the processed line was denied? Tim -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< >> Tim Sailer >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> tp...@bu... >< (631) 924-3728 (888) 924-3728 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< |
|
From: Tim S. <tp...@bu...> - 2003-02-20 20:52:44
|
On Thu, Feb 20, 2003 at 08:49:03PM +0100, Herve Eychenne wrote:
> > Feb 19 00:13:41 pike.local %PIX-2-106006: Deny inbound UDP from 181.30.226.168/1030 to 192.168.1.179/137 on interface outside
>
> Ok, I see exactly what's going on. I didn't exactly rely on the same
> format files than you. You (or I) have really no luck, I'm sorry. ;-)
> But I come with a temporary solution, so I hope you'll forgive me.
>
> I'm very interested with your feedback.
> Don't hesitate if you have other problems.
>
> ****************
> For snort:
>
> wflogs expects a snort log coming from syslog... so maybe I should do
> something to also recognize directly generated alert files...
> That will certainly be in the next release...
> But for the moment, you could try to log it to syslog, or write a short
> perl script to add "syslog information" to your lines in order to
> parse them correcty. Here's the little one I just wrote:
> (note that it requires libtime-piece-perl)
>
> $ cat snortalert2syslog
> #!/usr/bin/perl -w
> use Time::Piece;
> while (<>) {
> my ($str) = ($_ =~ /^([^.]*)\./);
> my $t = Time::Piece->strptime($str, "%m/%d-%T");
> print $t->strftime("%b %d %T"), " myhost snort: $_\n";
> }
>
> But it isn't sufficient, as a little too much paranoia in the current
> checks prevent this from working (though this will be fixed in the
> next release). So for the moment you have to turn off the strict checking.
>
> So, for the moment, use:
> $ ./snortalert2syslog < yoursnortlogs | wflogs --strict-parsing=loose -i snort -
OK, that should work.
> ****************
>
> For Pix:
>
> wflogs expects ": PIX-". Well, it's because my working test file is
> PIX-4, and yours is PIX-2. However, expecting only " PIX-" (without
> ':') does the job. This will be fixed in the next release as well.
>
> So, for the moment, use:
> $ sed 's/ %PIX-/:&/' < yourpixlogs | wflogs -i cisco_pix -
OK, thanks.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tp...@bu... >< (631) 924-3728 (888) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|
|
From: Herve E. <rv...@wa...> - 2003-02-20 19:47:05
|
On Thu, Feb 20, 2003 at 11:55:09AM -0500, Tim Sailer wrote:
> > > I have logs from 2 sources I want to look at, snort (1.9.0 from a Debian
> > > box) and Pix, from a Pix 535. wflogs doesn't seem to know how to read
> > > either of the logs. I'm using the alert file fril snort, and remote
> > > syslog entries from the Pix. Does anyone have pointers?
> >
> > What exact command line are you using for each file?
> two tries for snort,
> wflogs -i snort /var/log/snort/alert | wflogs -i any /var/log/snort/alert
>
> and a similar commandline for the Pix.
> > You can also join one line of each file for test purpose, if needed...
> OK, from snort:
>
> 02/20-11:53:08.057888 [**] [1:1287:5] WEB-IIS scripts access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 63.240.211.155:12245 -> 192.168.1.1:80
>
> >From Pix:
>
> Feb 19 00:13:41 pike.local %PIX-2-106006: Deny inbound UDP from 181.30.226.168/1030 to 192.168.1.179/137 on interface outside
Ok, I see exactly what's going on. I didn't exactly rely on the same
format files than you. You (or I) have really no luck, I'm sorry. ;-)
But I come with a temporary solution, so I hope you'll forgive me.
I'm very interested with your feedback.
Don't hesitate if you have other problems.
****************
For snort:
wflogs expects a snort log coming from syslog... so maybe I should do
something to also recognize directly generated alert files...
That will certainly be in the next release...
But for the moment, you could try to log it to syslog, or write a short
perl script to add "syslog information" to your lines in order to
parse them correcty. Here's the little one I just wrote:
(note that it requires libtime-piece-perl)
$ cat snortalert2syslog
#!/usr/bin/perl -w
use Time::Piece;
while (<>) {
my ($str) = ($_ =~ /^([^.]*)\./);
my $t = Time::Piece->strptime($str, "%m/%d-%T");
print $t->strftime("%b %d %T"), " myhost snort: $_\n";
}
But it isn't sufficient, as a little too much paranoia in the current
checks prevent this from working (though this will be fixed in the
next release). So for the moment you have to turn off the strict checking.
So, for the moment, use:
$ ./snortalert2syslog < yoursnortlogs | wflogs --strict-parsing=loose -i snort -
****************
For Pix:
wflogs expects ": PIX-". Well, it's because my working test file is
PIX-4, and yours is PIX-2. However, expecting only " PIX-" (without
':') does the job. This will be fixed in the next release as well.
So, for the moment, use:
$ sed 's/ %PIX-/:&/' < yourpixlogs | wflogs -i cisco_pix -
Herve
--
_
(°= Hervé Eychenne
//)
v_/_ WallFire project: http://www.wallfire.org/
|
|
From: Tim S. <tp...@bu...> - 2003-02-20 16:56:18
|
On Thu, Feb 20, 2003 at 05:42:09PM +0100, Herve Eychenne wrote:
> On Thu, Feb 20, 2003 at 11:20:41AM -0500, Tim Sailer wrote:
>
> Hi,
>
> > I have logs from 2 sources I want to look at, snort (1.9.0 from a Debian
> > box) and Pix, from a Pix 535. wflogs doesn't seem to know how to read
> > either of the logs. I'm using the alert file fril snort, and remote
> > syslog entries from the Pix. Does anyone have pointers?
>
> What exact command line are you using for each file?
two tries for snort,
wflogs -i snort /var/log/snort/alert | wflogs -i any /var/log/snort/alert
and a similar commandline for the Pix.
> You can also join one line of each file for test purpose, if needed...
OK, from snort:
02/20-11:53:08.057888 [**] [1:1287:5] WEB-IIS scripts access [**] [Classification: access to a potentially vulnerable web application] [Priority: 2] {TCP} 63.240.211.155:12245 -> 192.168.1.1:80
From Pix:
Feb 19 00:13:41 pike.local %PIX-2-106006: Deny inbound UDP from 181.30.226.168/1030 to 192.168.1.179/137 on interface outside
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer >< Coastal Internet, Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tp...@bu... >< (631) 924-3728 (888) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|
11 messages has been excluded from this view by a project administrator.
