Sign in with
Sign up | Sign in
Your question

Firewall log analysis

Last response: in Networking
Share
June 12, 2004 4:06:02 PM

Archived from groups: comp.security.firewalls (More info?)

Hi,

I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
of log entries showing the important parts is below:-

Date & Time Result Source URL
2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN

I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.

How do you deal with the firewall logs?

What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
exist?

TIA.

More about : firewall log analysis

Anonymous
June 12, 2004 4:06:03 PM

Archived from groups: comp.security.firewalls (More info?)

JC <jhoppyc@westnet.com.invalid> squirted these wordjisms deep inside
the bumtube of the newstwat in
news:bemkc097764aq8tvurfa5akqn8777ttslh@4ax.com:

> Hi,
>
> I have a Sonicwall firewall which sends me a log each morning via
> email. I paste the log into Excel, save it then sort on source URL.
> An example of log entries showing the important parts is below:-
>
> Date & Time Result
> Source URL
> 2004/06/11 09:07:15.224 UDP packet dropped -
> Source:218.217.9.187, 5984, WAN 2004/06/11 09:39:36.496 ICMP
> packet dropped - Source:219.133.44.17, 8, WAN 2004/06/11
> 10:27:02.544 UDP packet dropped -
> Source:204.85.210.188, 31916, WAN 2004/06/11 10:28:08.304 TCP
> connection dropped - Source:203.129.200.7, 1511, WAN
>
> I get 80-100 entries per day, which isn't many I know, but over a
> month this adds up to about 2,500+ entries which take a while to go
> through. What I am looking for is patterns of probes which I then
> report to abuse@x.y.z asking for the probes to be stopped. To get
> to the abuse@x.y.z address I look up the details on www.dnsstuff.com.
> Doing this multiple times each day can be tedious and it is not
> immediately obvious that, for example, source URLs 66.139.x.y and
> 69.44.x.y are all connected to the same ISP.
>
> How do you deal with the firewall logs?
>
> What would be useful would be a program that will read the log file,
> preferably in XLS format, and spit out a summary along the lines of
> ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
> name, Source URL and Date & Time if multiple entries are detected.
> Does such a program exist?
>
> TIA.
>
>

If you used ZoneAlarm then VisualZone would interpret the logs for you.
Visualzone looks up intruder IPs and other info, and has a button that
will format the reults into a template email which you can send to the
abuse or AUP dept of the ISP concerned. You can lookup the IP address on
spamcop to see if they are known pests, send a report to DShield, and
check which ports they were hitting easily using buttons. It has a whole
host of other features too.

However, unfortunately I don't know of a similar application which does
the same for your firewall.

--
*********************************
> David Qunt
>
****************************************************
June 12, 2004 4:06:03 PM

Archived from groups: comp.security.firewalls (More info?)

While it doesn't offer all the features you ask for, you can get some
nice log analysis in linklogger. (www.linklogger.com)


Brad


On Sat, 12 Jun 2004 12:06:02 +1000, JC <jhoppyc@westnet.com.invalid>
wrote:

>Hi,
>
>I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
>of log entries showing the important parts is below:-
>
> Date & Time Result Source URL
>2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
>2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
>2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
>2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN
>
>I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
>I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
>look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
>source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.
>
>How do you deal with the firewall logs?
>
>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>exist?
>
>TIA.
Related resources
Anonymous
June 12, 2004 4:06:03 PM

Archived from groups: comp.security.firewalls (More info?)

>
> How do you deal with the firewall logs?
>
> What would be useful would be a program that will read the log file,
preferably in XLS format, and spit out a summary along the lines of ISP
Name,
> Abuse email address, Source URL, Date & Time sorted on ISP name, Source
URL and Date & Time if multiple entries are detected. Does such a program
> exist?
>

Yes, there are some programs out there.
I believe what you are looking for is something like this Add-On to the
SmoothWall:
http://community.smoothwall.org/forum/viewtopic.php?t=6...

It uses already know information about known agressive addresses, and in
case the program detects something "new" also submits it so that others can
have their systems updated to stop activities.

If you are running SNORT, there is also another Add-On to the Smoothwall
which may be of interest. I have installed it, and if you should try to
port-scan me you will find that my network just disappears from your view
for a pre-set number of days.
Look here: http://community.smoothwall.org/forum/viewtopic.php?t=5...

The nice things about these functions is that when they are there, you do
not have to do anything more, the FW itself will be active and adaptive
towards threats and unwanted activities.

JMM
Anonymous
June 12, 2004 8:08:17 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh

>
>How do you deal with the firewall logs?
>
>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>exist?
>
>TIA.

I doubt such a program exists. Firewall log analyzers are available
that'll show daily traffic trends (blocked inbound/outbound and where
traffic are going). However, I know of none that'll look up abuse e-mail
addresses and/or check which ISP an IP address is associate with.

For better logging with the Sonicwall, I recommenced using a syslog
server. You can either set up a linux box to do this, or get a free copy
of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
any ODBC database you want, and with some skills, you can create report
(i.e. in MS Access) to tell you what's going on...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
June 12, 2004 8:08:18 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 16:08:17 GMT, Lars M. Hansen <badnews@hansenonline.net>
wrote:

>On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
>>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
>>exist?
>>
>>TIA.
>
>I doubt such a program exists. Firewall log analyzers are available
>that'll show daily traffic trends (blocked inbound/outbound and where
>traffic are going). However, I know of none that'll look up abuse e-mail
>addresses and/or check which ISP an IP address is associate with.
>
>For better logging with the Sonicwall, I recommenced using a syslog
>server. You can either set up a linux box to do this, or get a free copy
>of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
>any ODBC database you want, and with some skills, you can create report
>(i.e. in MS Access) to tell you what's going on...
>
>Lars M. Hansen
>www.hansenonline.net
>Remove "bad" from my e-mail address to contact me.
>"If you try to fail, and succeed, which have you done?"

Use the firewall logging program of your choice, and extract the IP address in
question.

Use TESP AbuseReporter <http://www.tesp.com/abounce/&gt; to help you find out all
details about the responsible ISP, to make a cleanly formatted and informative
report, and to email the report.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Anonymous
June 12, 2004 9:06:48 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> wrote in
news:o o9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

> On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file,
>>preferably in XLS format, and spit out a summary along the lines of
>>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
>>name, Source URL and Date & Time if multiple entries are detected.
>>Does such a program exist?
>>
>>TIA.
>
> I doubt such a program exists. Firewall log analyzers are available
> that'll show daily traffic trends (blocked inbound/outbound and where
> traffic are going). However, I know of none that'll look up abuse
> e-mail addresses and/or check which ISP an IP address is associate
> with.
>
> For better logging with the Sonicwall, I recommenced using a syslog
> server. You can either set up a linux box to do this, or get a free
> copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
> log to any ODBC database you want, and with some skills, you can
> create report (i.e. in MS Access) to tell you what's going on...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"

I have to agree here. I use the Kiwi Syslog Daemon. I am very impressed
with it. I may get into using SQL Server and Crystal Report.

Duane :) 
Anonymous
June 12, 2004 9:49:15 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:o o9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

> On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
>
>>
>>How do you deal with the firewall logs?
>>
>>What would be useful would be a program that will read the log file,
>>preferably in XLS format, and spit out a summary along the lines of
>>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
>>name, Source URL and Date & Time if multiple entries are detected.
>>Does such a program exist?
>>
>>TIA.
>
> I doubt such a program exists. Firewall log analyzers are available
> that'll show daily traffic trends (blocked inbound/outbound and where
> traffic are going). However, I know of none that'll look up abuse
> e-mail addresses and/or check which ISP an IP address is associate
> with.
>
> For better logging with the Sonicwall, I recommenced using a syslog
> server. You can either set up a linux box to do this, or get a free
> copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
> log to any ODBC database you want, and with some skills, you can
> create report (i.e. in MS Access) to tell you what's going on...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
>


Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
about Sonicwall, though.

--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 12, 2004 9:49:52 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh

>
>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
>about Sonicwall, though.

ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
network firewall. Hardly a comparison...

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
June 14, 2004 3:29:00 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:

> On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
>
>>
>>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
>>about Sonicwall, though.
>
> ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> network firewall. Hardly a comparison...
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"
>


Thanks for pointing that out.

However, I wasn't making a comparison, just pointing something out.

The point is, there may be something similar for Sonicwall.

--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 14, 2004 3:29:58 AM

Archived from groups: comp.security.firewalls (More info?)

"David Qunt" <davidqunt@hotmail.com> wrote in message
news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
> inside the bumtube of the newstwat in
> news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
>
> > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
> >
> >>
> >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
> >>about Sonicwall, though.
> >
> > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> > network firewall. Hardly a comparison...
> >
> > Lars M. Hansen
> > www.hansenonline.net
> > Remove "bad" from my e-mail address to contact me.
> > "If you try to fail, and succeed, which have you done?"
> >
>
>
> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.
>
> --
> *********************************
> > David Qunt
> >
> ****************************************************
Anonymous
June 14, 2004 3:35:04 AM

Archived from groups: comp.security.firewalls (More info?)

"David Qunt" <davidqunt@hotmail.com> wrote in message
news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
> inside the bumtube of the newstwat in
> news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
>
> > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
> >
> >>
> >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
> >>about Sonicwall, though.
> >
> > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
> > network firewall. Hardly a comparison...
> >
> > Lars M. Hansen
> > www.hansenonline.net
> > Remove "bad" from my e-mail address to contact me.
> > "If you try to fail, and succeed, which have you done?"
> >
>
>
> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.

http://www.kiwisyslog.com

It was pointed out and it works with several brands of FW appliances and
routers.

Duane :) 
Anonymous
June 14, 2004 7:19:38 PM

Archived from groups: comp.security.firewalls (More info?)

You might want to consider SonicLogger at http://www.SonicLogger.com for
your SonicWall.

Blake
Anonymous
June 14, 2004 8:43:54 PM

Archived from groups: comp.security.firewalls (More info?)

JC wrote:


> What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
> Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
> exist?
>
> TIA.
>

Set up the sonicwall to use a syslog server (I believe ALL models
support this - I have done it with soho3, pro200 and pro4060 models)

Use kiwi syslogd as the syslog server (do google search for it - free
download) - can save data in many formats. Including CSV to allow easy
import to excel.

use kiwi syslog analyzer to sort the logs for you.

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 14, 2004 8:45:00 PM

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:

>
> If you used ZoneAlarm then VisualZone would interpret the logs for you.

Good idea, replace a high end hardware firewall with a low end software
based one.

Geez.


--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 14, 2004 8:47:29 PM

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:

> Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep

> Thanks for pointing that out.
>
> However, I wasn't making a comparison, just pointing something out.
>
> The point is, there may be something similar for Sonicwall.
>

look at www.mynetwatchman.org. They have a client that reads sonicwall
entries saved by kiwi syslog, and automatically sends complaints for you.


--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 15, 2004 2:47:31 AM

Archived from groups: comp.security.firewalls (More info?)

Chuck wrote:


> Use TESP AbuseReporter <http://www.tesp.com/abounce/&gt; to help you find out
> all details about the responsible ISP, to make a cleanly formatted and
> informative report, and to email the report.

If you are lucky you'll only bore the average ISP sysadmin to death with
those automated abuse reports. If you are unlucky might send you a bill for
wasting their time since these people normally have other things to do than
to deal with the protocol excerpts of paranoid people running who run
packet filters and are unable to make up thier minds themselves about the
relevance of the output.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
Anonymous
June 15, 2004 11:19:55 AM

Archived from groups: comp.security.firewalls (More info?)

Chuck wrote:

> On Mon, 14 Jun 2004 22:47:31 +0200, Wolfgang Kueter
> <wolfgang@shconnect.de> wrote:

>>If you are lucky you'll only bore the average ISP sysadmin to death with
>>those automated abuse reports. If you are unlucky might send you a bill
^^^^^^^^^

>>for wasting their time since these people normally have other things to do
>>than to deal with the protocol excerpts of paranoid people running who run
>>packet filters and are unable to make up thier minds themselves about the
>>relevance of the output.
^^^^^^^^^^^^^^^^^^^^^^^


> I word my notices to that effect, and only send notices when I'm probed
> repeatedly from a given address.

Obviuosly not what I was talking about.

Wolfgang
--
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel
June 15, 2004 11:19:56 AM

Archived from groups: comp.security.firewalls (More info?)

On Tue, 15 Jun 2004 07:19:55 +0200, Wolfgang Kueter <wolfgang@shconnect.de>
wrote:

>Chuck wrote:
>
>> On Mon, 14 Jun 2004 22:47:31 +0200, Wolfgang Kueter
>> <wolfgang@shconnect.de> wrote:
>
>>>If you are lucky you'll only bore the average ISP sysadmin to death with
>>>those automated abuse reports. If you are unlucky might send you a bill
> ^^^^^^^^^
>
>>>for wasting their time since these people normally have other things to do
>>>than to deal with the protocol excerpts of paranoid people running who run
>>>packet filters and are unable to make up thier minds themselves about the
>>>relevance of the output.
> ^^^^^^^^^^^^^^^^^^^^^^^
>
>
>> I word my notices to that effect, and only send notices when I'm probed
>> repeatedly from a given address.
>
>Obviuosly not what I was talking about.
>
>Wolfgang

Wolfgang,

So tell us what you're talking about. If it's relevant to this discussion.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Anonymous
June 15, 2004 9:33:00 PM

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:10cs3id15e8uj5e@corp.supernews.com:

> David Qunt wrote:
>
>>
>> If you used ZoneAlarm then VisualZone would interpret the logs for you.
>
> Good idea, replace a high end hardware firewall with a low end software
> based one.
>
> Geez.
>
>

Where exactly did I say he should replace anything?

And what exactly was the purpose of your post apart from sneer?

Your next post was quite helpful, in my opinion that would have been
sufficient.

--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 16, 2004 2:59:38 AM

Archived from groups: comp.security.firewalls (More info?)

On Mon, 14 Jun 2004 19:47:00 GMT, David Qunt spoketh

>
>
>Yes, and no put down intended to you either, but what a helpful and
>constuctive post that was from Lars. Calling me on what I said without
>offering any positive sugestion or advice clearly was of no help to the
>OP in any possible way whatsoever.

If someone are looking for high-performance tires for their new Mercedes
Benz, is it helpful if someone says they know there are high-performance
tires for bikes?

The fact that something exists for a different product offers little for
those not owning that product. If you don't have an answer, either take
the time to research it (like I did), or refrain from answering.


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
June 16, 2004 3:58:19 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 02:31:11 GMT, David Qunt spoketh

>
>As I understand it this is a public discussion forum. I tried to be as
>helpful as I could within my own limitations and knowledge.
>

I merely pointed out that it wasn't particularly helpful to say that
product A does for product B what the OP wants done with product C.

I'd absolutely encourage you to be helpful. There's nothing better than
having more people knowing and understanding computer and network
security considering how big this issue is getting. However, I'd
encourage you to research things a little more before offering your
help. It only takes 5 minutes to a google search on the topic, and see
what you get:
http://www.google.com/search?q=sonicwall+reporting+logg...


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
June 16, 2004 10:23:25 PM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:95d0d0dm80pj2klr3qksvi5rbjhnoopk3p@4ax.com:

> On Wed, 16 Jun 2004 02:31:11 GMT, David Qunt spoketh
>
>>
>>As I understand it this is a public discussion forum. I tried to be as
>>helpful as I could within my own limitations and knowledge.
>>
>
> I merely pointed out that it wasn't particularly helpful to say that
> product A does for product B what the OP wants done with product C.
>
> I'd absolutely encourage you to be helpful. There's nothing better
> than having more people knowing and understanding computer and network
> security considering how big this issue is getting. However, I'd
> encourage you to research things a little more before offering your
> help. It only takes 5 minutes to a google search on the topic, and see
> what you get:
> http://www.google.com/search?q=sonicwall+reporting+logg...
> G=Search&hl=en&lr=&ie=UTF-8
>
>

Encouraging me?

Hmmmm, your first response to the OP was

"I doubt such a program exists. "

Did you google to check that first? After my post pointing out one did
exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
several brands of FW and routers.

However, instead of responding as Duane did when he replied to my post, you
simply sniped this at me:

"ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
network firewall. Hardly a comparison..."

Encouragement was not what you were doing there, Lars, despite what you now
claim. What you did there was cricically lecture me for not much more than
passing comment.

Your suggestion of googling may be valid to a certain extent. But if you
take that to its logical conclusion, any time someone asks a question
online, or tries to answer one or help out, he or she will be pointed at
google and told to piss off and look there. But never mind.

In any event, I would point out that what you said applies equally to the
OP. And you, for that matter. I would suggest that your advice for me to
google might be better directed at the OP. He is, after all, the one with
the Sonicwall firewall, and the log he wants to interpret, and the other
things he wants to do with it. He is therefore the one who was looking for
help, which is why I am slightly puzzled why you had a go at me.

I am merely a passer-by, lurking in here for any useful information, and
chipping in occasionally. I will probably be doing that less frequently in
future, despite your sudden change from lecturing to to encouragement, if
this kind of exchange is the usual result.

If it's any consolation to you, there is no need to encourage me towards
google. When I am looking for an answer myself, I usually consult google as
my first port of all. That is probably why you will not find many posts
from me asking questions which have already been answered elsewhere. I
don't use google to research everything I am about to post, and I suspect
you don't either, as it is simply not practical.

I still stand by my post insofar as it was intended to be constructive,
unlike yours - even if what I said was not technically correct, it led
immediately to Duane pointing out a possible alternative that may do what
the OP requires. Which is more than you did, preferring to say instead that
you doubt such a program exists.

Still, I shall apologise for my utterly miserable failure to be 100% sure
of my facts all of the time when discussing matters online, especially
since it's a characteristic shared by about 100% of people at least some of
the time. I shall think twice about trying to help from now on, so that I
can avoid stealing 3k of your bandwidth and ruining your utopian ideal of
how you would like this newsgroup to be run if it were yours to control.

Best regards
--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 16, 2004 10:35:00 PM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 18:23:25 GMT, David Qunt spoketh

>
>Encouraging me?
>
>Hmmmm, your first response to the OP was
>
>"I doubt such a program exists. "
>

And I still think you'll have a hard time finding a program that'll take
the Sonicwall logs (syslog or otherwise), look up who the ISP is
(accurately), find the abuse e-mail address and list it all nicely.
However, half the context is missing there, because the next few lines
says what a number of firewall log analyzers do, and it's not what the
OP describes.

>
>Did you google to check that first? After my post pointing out one did
>exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
>several brands of FW and routers.
>

Oddly, so did I in the second paragraph.

>
>However, instead of responding as Duane did when he replied to my post, you
>simply sniped this at me:
>
>"ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
>network firewall. Hardly a comparison..."
>
>Encouragement was not what you were doing there, Lars, despite what you now
>claim. What you did there was cricically lecture me for not much more than
>passing comment.
>

Yeah, it was a snide remark. You made the same statement twice with
regards to what is available for a desktop security package which has
little relevance to original question, despite it being stated already
by myself and others that the OPs list of requirements for the software
was probably unrealistic.

>
>Your suggestion of googling may be valid to a certain extent. But if you
>take that to its logical conclusion, any time someone asks a question
>online, or tries to answer one or help out, he or she will be pointed at
>google and told to piss off and look there. But never mind.
>

I've never suggested "google or piss off", nor do I recall having seen
anyone else taking the "google is your friend" to any such extremes.

>
>In any event, I would point out that what you said applies equally to the
>OP. And you, for that matter. I would suggest that your advice for me to
>google might be better directed at the OP. He is, after all, the one with
>the Sonicwall firewall, and the log he wants to interpret, and the other
>things he wants to do with it. He is therefore the one who was looking for
>help, which is why I am slightly puzzled why you had a go at me.
>
>I am merely a passer-by, lurking in here for any useful information, and
>chipping in occasionally. I will probably be doing that less frequently in
>future, despite your sudden change from lecturing to to encouragement, if
>this kind of exchange is the usual result.
>
>If it's any consolation to you, there is no need to encourage me towards
>google. When I am looking for an answer myself, I usually consult google as
>my first port of all. That is probably why you will not find many posts
>from me asking questions which have already been answered elsewhere. I
>don't use google to research everything I am about to post, and I suspect
>you don't either, as it is simply not practical.
>
>I still stand by my post insofar as it was intended to be constructive,
>unlike yours - even if what I said was not technically correct, it led
>immediately to Duane pointing out a possible alternative that may do what
>the OP requires. Which is more than you did, preferring to say instead that
>you doubt such a program exists.
>

My posts regarding this subject have been constructive, with the
exception of this pissing contest with you because you were offended by
me calling ZoneAlarm a toy...

>
>Still, I shall apologise for my utterly miserable failure to be 100% sure
>of my facts all of the time when discussing matters online, especially
>since it's a characteristic shared by about 100% of people at least some of
>the time. I shall think twice about trying to help from now on, so that I
>can avoid stealing 3k of your bandwidth and ruining your utopian ideal of
>how you would like this newsgroup to be run if it were yours to control.
>
>Best regards

whatever.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"
Anonymous
June 17, 2004 12:03:50 AM

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:7j31d01cc3njjqj3j084bsbrltm8rm9fda@4ax.com:

> On Wed, 16 Jun 2004 18:23:25 GMT, David Qunt spoketh
>
>>
>>Encouraging me?
>>
>>Hmmmm, your first response to the OP was
>>
>>"I doubt such a program exists. "
>>
>
> And I still think you'll have a hard time finding a program that'll
> take the Sonicwall logs (syslog or otherwise), look up who the ISP is
> (accurately), find the abuse e-mail address and list it all nicely.
> However, half the context is missing there, because the next few lines
> says what a number of firewall log analyzers do, and it's not what the
> OP describes.
>
>>

What you fail to understand is that I won't have a hard time finding it,
because I am not the one looking. The OP was.


>>Did you google to check that first? After my post pointing out one did
>>exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
>>several brands of FW and routers.
>>
>
> Oddly, so did I in the second paragraph.


After making a pointless snipe at me.

>
>>
>>However, instead of responding as Duane did when he replied to my
>>post, you simply sniped this at me:
>>
>>"ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
>>network firewall. Hardly a comparison..."
>>
>>Encouragement was not what you were doing there, Lars, despite what
>>you now claim. What you did there was cricically lecture me for not
>>much more than passing comment.
>>
>
> Yeah, it was a snide remark. You made the same statement twice with
> regards to what is available for a desktop security package which has
> little relevance to original question, despite it being stated already
> by myself and others that the OPs list of requirements for the
> software was probably unrealistic.

Yes, but that was because I didn't fully appreciate the nature of
Sonicwall. I have already admitted that I posted within the limitations
of my knowledge in an attempt to be as helpful as I could. My knowledge
may not be all it should be, just as it is obvious that there is room for
improvement in your bedside manner. I was trying to be constructive, and
your motivation as far as your continuing attitude towards me is
something different entirely.

>
>>
>>Your suggestion of googling may be valid to a certain extent. But if
>>you take that to its logical conclusion, any time someone asks a
>>question online, or tries to answer one or help out, he or she will be
>>pointed at google and told to piss off and look there. But never mind.
>>
>
> I've never suggested "google or piss off", nor do I recall having seen
> anyone else taking the "google is your friend" to any such extremes.
>

Read back the part of my post which you quoted, and you'll see that I
didn't quote you as saying that at all. Note the important words, 'if you
take that to its logical conclusion' It should be fairly obvious that
what I meant is that if everybody did what you did, you would simply have
lots of people all pointing other people towards google.


>>
>>In any event, I would point out that what you said applies equally to
>>the OP. And you, for that matter. I would suggest that your advice for
>>me to google might be better directed at the OP. He is, after all, the
>>one with the Sonicwall firewall, and the log he wants to interpret,
>>and the other things he wants to do with it. He is therefore the one
>>who was looking for help, which is why I am slightly puzzled why you
>>had a go at me.
>>
>>I am merely a passer-by, lurking in here for any useful information,
>>and chipping in occasionally. I will probably be doing that less
>>frequently in future, despite your sudden change from lecturing to to
>>encouragement, if this kind of exchange is the usual result.
>>
>>If it's any consolation to you, there is no need to encourage me
>>towards google. When I am looking for an answer myself, I usually
>>consult google as my first port of all. That is probably why you will
>>not find many posts from me asking questions which have already been
>>answered elsewhere. I don't use google to research everything I am
>>about to post, and I suspect you don't either, as it is simply not
>>practical.
>>
>>I still stand by my post insofar as it was intended to be
>>constructive, unlike yours - even if what I said was not technically
>>correct, it led immediately to Duane pointing out a possible
>>alternative that may do what the OP requires. Which is more than you
>>did, preferring to say instead that you doubt such a program exists.
>>
>
> My posts regarding this subject have been constructive, with the
> exception of this pissing contest with you because you were offended
> by me calling ZoneAlarm a toy...

Show me where I asaid I was offended at your comments towards ZoneAlarm.
I never said I was bothered about that, and I don't particularly care
what you say about that product at all. I'm not here to defend ZoneAlarm
in the face of your clearly expressed opinion about its merits or
otherwise. I've been quite clear that I am 'puzzled' - not offended - by
your attitude in sniping at me, instead of concentrating on helping the
OP.

You do like to presume rather a lot. You were the one starting a pissing
contest, when you made a comparison between ZoneAlarm and Sonicwall -
something that I did not do, and yet you accuseed me of.

>
>>
>>Still, I shall apologise for my utterly miserable failure to be 100%
>>sure of my facts all of the time when discussing matters online,
>>especially since it's a characteristic shared by about 100% of people
>>at least some of the time. I shall think twice about trying to help
>>from now on, so that I can avoid stealing 3k of your bandwidth and
>>ruining your utopian ideal of how you would like this newsgroup to be
>>run if it were yours to control.
>>
>>Best regards
>
> whatever.


You just can't help yourself with the rudeness and snipes, can you? Feel
free if it makes you feel any better about your behaviour.



--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 18, 2004 5:35:56 PM

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:


>
> Where exactly did I say he should replace anything?

He made it clear je was using a sonicwall, not zaone alarm. What exactly
was the purpose of telling him what he could do with zone alarm if you
did not mean to imply he should use it instead of the sonicwall?

>
> And what exactly was the purpose of your post apart from sneer?

What was your purpose, then? Your poset seemed downright rude. I
responded in kind.

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 18, 2004 5:49:25 PM

Archived from groups: comp.security.firewalls (More info?)

David Qunt wrote:

> Yes, but that was because I didn't fully appreciate the nature of
> Sonicwall. I have already admitted that I posted within the limitations
> of my knowledge in an attempt to be as helpful as I could. My knowledge
> may not be all it should be, just as it is obvious that there is room for
> improvement in your bedside manner. I was trying to be constructive, and
> your motivation as far as your continuing attitude towards me is
> something different entirely.

If your knowledge on a given subject is very limited, offering words of
advice on the subject is not contructive. If you didn't know anything
about sonicwalls the most helpful thing to do would have been to post
nothing to the thread.

--
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
May be copied freely without the express permission of T. Sean Weintz.
T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
Anonymous
June 20, 2004 7:12:09 PM

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:10d69vsg3hd842b@corp.supernews.com:

> David Qunt wrote:
>
>
>>
>> Where exactly did I say he should replace anything?
>
> He made it clear je was using a sonicwall, not zaone alarm. What exactly
> was the purpose of telling him what he could do with zone alarm if you
> did not mean to imply he should use it instead of the sonicwall?
>

I have stated my purpose already in an earlier post. Since you fail to
understand it, I shall state it again.

I did not say he should replace Sonmicwall with ZoneAlarm. Instead I was
simply suggesting that if a product existed that allowed you to interpret
logs for one firewall then it was entirely possible, and even likely that
such a product existed for another one.

>>
>> And what exactly was the purpose of your post apart from sneer?
>
> What was your purpose, then? Your poset seemed downright rude. I
> responded in kind.
>

You did not respond in kind, because my post was not rude.

--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 20, 2004 7:13:07 PM

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:10d6ap668d9t053@corp.supernews.com:

> David Qunt wrote:
>
>> Yes, but that was because I didn't fully appreciate the nature of
>> Sonicwall. I have already admitted that I posted within the
>> limitations of my knowledge in an attempt to be as helpful as I
>> could. My knowledge may not be all it should be, just as it is
>> obvious that there is room for improvement in your bedside manner. I
>> was trying to be constructive, and your motivation as far as your
>> continuing attitude towards me is something different entirely.
>
> If your knowledge on a given subject is very limited, offering words
> of advice on the subject is not contructive. If you didn't know
> anything about sonicwalls the most helpful thing to do would have been
> to post nothing to the thread.
>

I disagree. See my earlier post today as to why.

You cannot tell me what I can and cannot post.

--
*********************************
> David Qunt
>
****************************************************
Anonymous
June 20, 2004 7:13:35 PM

Archived from groups: comp.security.firewalls (More info?)

"T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
inside the bumtube of the newstwat in
news:10cs3id15e8uj5e@corp.supernews.com:

> David Qunt wrote:
>
>>
>> If you used ZoneAlarm then VisualZone would interpret the logs for you.
>
> Good idea, replace a high end hardware firewall with a low end software
> based one.
>
> Geez.
>
>

Those are your words, not mine. I did not suggest replacing one with
another.

--
*********************************
> David Qunt
>
****************************************************
July 2, 2004 2:04:41 AM

Archived from groups: comp.security.firewalls (More info?)

Try Sawmill.

http://www.sawmill.net/

Joe

"Chuck" <none@example.net> escribió en el mensaje
news:38dmc0dgbse3rhs7e5kgbkb2bjrfgg4qi7@4ax.com...
> On Sat, 12 Jun 2004 16:08:17 GMT, Lars M. Hansen
<badnews@hansenonline.net>
> wrote:
>
> >On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
> >
> >>
> >>How do you deal with the firewall logs?
> >>
> >>What would be useful would be a program that will read the log file,
preferably in XLS format, and spit out a summary along the lines of ISP
Name,
> >>Abuse email address, Source URL, Date & Time sorted on ISP name, Source
URL and Date & Time if multiple entries are detected. Does such a program
> >>exist?
> >>
> >>TIA.
> >
> >I doubt such a program exists. Firewall log analyzers are available
> >that'll show daily traffic trends (blocked inbound/outbound and where
> >traffic are going). However, I know of none that'll look up abuse e-mail
> >addresses and/or check which ISP an IP address is associate with.
> >
> >For better logging with the Sonicwall, I recommenced using a syslog
> >server. You can either set up a linux box to do this, or get a free copy
> >of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
> >any ODBC database you want, and with some skills, you can create report
> >(i.e. in MS Access) to tell you what's going on...
> >
> >Lars M. Hansen
> >www.hansenonline.net
> >Remove "bad" from my e-mail address to contact me.
> >"If you try to fail, and succeed, which have you done?"
>
> Use the firewall logging program of your choice, and extract the IP
address in
> question.
>
> Use TESP AbuseReporter <http://www.tesp.com/abounce/&gt; to help you find out
all
> details about the responsible ISP, to make a cleanly formatted and
informative
> report, and to email the report.
>
> Cheers,
> Chuck
> Paranoia comes from experience - and is not necessarily a bad thing.
!