Firewall log analysis

Archived from groups: comp.security.firewalls (More info?)

Hi,

I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
of log entries showing the important parts is below:-

Date & Time Result Source URL
2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN

I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.

How do you deal with the firewall logs?

What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
exist?

TIA.
30 answers Last reply
More about firewall analysis
  1. Archived from groups: comp.security.firewalls (More info?)

    JC <jhoppyc@westnet.com.invalid> squirted these wordjisms deep inside
    the bumtube of the newstwat in
    news:bemkc097764aq8tvurfa5akqn8777ttslh@4ax.com:

    > Hi,
    >
    > I have a Sonicwall firewall which sends me a log each morning via
    > email. I paste the log into Excel, save it then sort on source URL.
    > An example of log entries showing the important parts is below:-
    >
    > Date & Time Result
    > Source URL
    > 2004/06/11 09:07:15.224 UDP packet dropped -
    > Source:218.217.9.187, 5984, WAN 2004/06/11 09:39:36.496 ICMP
    > packet dropped - Source:219.133.44.17, 8, WAN 2004/06/11
    > 10:27:02.544 UDP packet dropped -
    > Source:204.85.210.188, 31916, WAN 2004/06/11 10:28:08.304 TCP
    > connection dropped - Source:203.129.200.7, 1511, WAN
    >
    > I get 80-100 entries per day, which isn't many I know, but over a
    > month this adds up to about 2,500+ entries which take a while to go
    > through. What I am looking for is patterns of probes which I then
    > report to abuse@x.y.z asking for the probes to be stopped. To get
    > to the abuse@x.y.z address I look up the details on www.dnsstuff.com.
    > Doing this multiple times each day can be tedious and it is not
    > immediately obvious that, for example, source URLs 66.139.x.y and
    > 69.44.x.y are all connected to the same ISP.
    >
    > How do you deal with the firewall logs?
    >
    > What would be useful would be a program that will read the log file,
    > preferably in XLS format, and spit out a summary along the lines of
    > ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
    > name, Source URL and Date & Time if multiple entries are detected.
    > Does such a program exist?
    >
    > TIA.
    >
    >

    If you used ZoneAlarm then VisualZone would interpret the logs for you.
    Visualzone looks up intruder IPs and other info, and has a button that
    will format the reults into a template email which you can send to the
    abuse or AUP dept of the ISP concerned. You can lookup the IP address on
    spamcop to see if they are known pests, send a report to DShield, and
    check which ports they were hitting easily using buttons. It has a whole
    host of other features too.

    However, unfortunately I don't know of a similar application which does
    the same for your firewall.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  2. Archived from groups: comp.security.firewalls (More info?)

    While it doesn't offer all the features you ask for, you can get some
    nice log analysis in linklogger. (www.linklogger.com)


    Brad


    On Sat, 12 Jun 2004 12:06:02 +1000, JC <jhoppyc@westnet.com.invalid>
    wrote:

    >Hi,
    >
    >I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
    >of log entries showing the important parts is below:-
    >
    > Date & Time Result Source URL
    >2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
    >2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
    >2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
    >2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN
    >
    >I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
    >I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
    >look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
    >source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.
    >
    >How do you deal with the firewall logs?
    >
    >What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    >Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
    >exist?
    >
    >TIA.
  3. Archived from groups: comp.security.firewalls (More info?)

    >
    > How do you deal with the firewall logs?
    >
    > What would be useful would be a program that will read the log file,
    preferably in XLS format, and spit out a summary along the lines of ISP
    Name,
    > Abuse email address, Source URL, Date & Time sorted on ISP name, Source
    URL and Date & Time if multiple entries are detected. Does such a program
    > exist?
    >

    Yes, there are some programs out there.
    I believe what you are looking for is something like this Add-On to the
    SmoothWall:
    http://community.smoothwall.org/forum/viewtopic.php?t=6351

    It uses already know information about known agressive addresses, and in
    case the program detects something "new" also submits it so that others can
    have their systems updated to stop activities.

    If you are running SNORT, there is also another Add-On to the Smoothwall
    which may be of interest. I have installed it, and if you should try to
    port-scan me you will find that my network just disappears from your view
    for a pre-set number of days.
    Look here: http://community.smoothwall.org/forum/viewtopic.php?t=5702

    The nice things about these functions is that when they are there, you do
    not have to do anything more, the FW itself will be active and adaptive
    towards threats and unwanted activities.

    JMM
  4. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh

    >
    >How do you deal with the firewall logs?
    >
    >What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    >Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
    >exist?
    >
    >TIA.

    I doubt such a program exists. Firewall log analyzers are available
    that'll show daily traffic trends (blocked inbound/outbound and where
    traffic are going). However, I know of none that'll look up abuse e-mail
    addresses and/or check which ISP an IP address is associate with.

    For better logging with the Sonicwall, I recommenced using a syslog
    server. You can either set up a linux box to do this, or get a free copy
    of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
    any ODBC database you want, and with some skills, you can create report
    (i.e. in MS Access) to tell you what's going on...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  5. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 12 Jun 2004 16:08:17 GMT, Lars M. Hansen <badnews@hansenonline.net>
    wrote:

    >On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
    >
    >>
    >>How do you deal with the firewall logs?
    >>
    >>What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    >>Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
    >>exist?
    >>
    >>TIA.
    >
    >I doubt such a program exists. Firewall log analyzers are available
    >that'll show daily traffic trends (blocked inbound/outbound and where
    >traffic are going). However, I know of none that'll look up abuse e-mail
    >addresses and/or check which ISP an IP address is associate with.
    >
    >For better logging with the Sonicwall, I recommenced using a syslog
    >server. You can either set up a linux box to do this, or get a free copy
    >of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
    >any ODBC database you want, and with some skills, you can create report
    >(i.e. in MS Access) to tell you what's going on...
    >
    >Lars M. Hansen
    >www.hansenonline.net
    >Remove "bad" from my e-mail address to contact me.
    >"If you try to fail, and succeed, which have you done?"

    Use the firewall logging program of your choice, and extract the IP address in
    question.

    Use TESP AbuseReporter <http://www.tesp.com/abounce/> to help you find out all
    details about the responsible ISP, to make a cleanly formatted and informative
    report, and to email the report.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  6. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> wrote in
    news:oo9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

    > On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
    >
    >>
    >>How do you deal with the firewall logs?
    >>
    >>What would be useful would be a program that will read the log file,
    >>preferably in XLS format, and spit out a summary along the lines of
    >>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
    >>name, Source URL and Date & Time if multiple entries are detected.
    >>Does such a program exist?
    >>
    >>TIA.
    >
    > I doubt such a program exists. Firewall log analyzers are available
    > that'll show daily traffic trends (blocked inbound/outbound and where
    > traffic are going). However, I know of none that'll look up abuse
    > e-mail addresses and/or check which ISP an IP address is associate
    > with.
    >
    > For better logging with the Sonicwall, I recommenced using a syslog
    > server. You can either set up a linux box to do this, or get a free
    > copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
    > log to any ODBC database you want, and with some skills, you can
    > create report (i.e. in MS Access) to tell you what's going on...
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"

    I have to agree here. I use the Kiwi Syslog Daemon. I am very impressed
    with it. I may get into using SQL Server and Crystal Report.

    Duane :)
  7. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:oo9mc0p5s71i88jh8nlm6in3ra2d11qdpq@4ax.com:

    > On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
    >
    >>
    >>How do you deal with the firewall logs?
    >>
    >>What would be useful would be a program that will read the log file,
    >>preferably in XLS format, and spit out a summary along the lines of
    >>ISP Name, Abuse email address, Source URL, Date & Time sorted on ISP
    >>name, Source URL and Date & Time if multiple entries are detected.
    >>Does such a program exist?
    >>
    >>TIA.
    >
    > I doubt such a program exists. Firewall log analyzers are available
    > that'll show daily traffic trends (blocked inbound/outbound and where
    > traffic are going). However, I know of none that'll look up abuse
    > e-mail addresses and/or check which ISP an IP address is associate
    > with.
    >
    > For better logging with the Sonicwall, I recommenced using a syslog
    > server. You can either set up a linux box to do this, or get a free
    > copy of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can
    > log to any ODBC database you want, and with some skills, you can
    > create report (i.e. in MS Access) to tell you what's going on...
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
    >


    Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
    about Sonicwall, though.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  8. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh

    >
    >Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
    >about Sonicwall, though.

    ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    network firewall. Hardly a comparison...

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  9. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:

    > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
    >
    >>
    >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
    >>about Sonicwall, though.
    >
    > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    > network firewall. Hardly a comparison...
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
    >


    Thanks for pointing that out.

    However, I wasn't making a comparison, just pointing something out.

    The point is, there may be something similar for Sonicwall.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  10. Archived from groups: comp.security.firewalls (More info?)

    "David Qunt" <davidqunt@hotmail.com> wrote in message
    news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
    > Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    > inside the bumtube of the newstwat in
    > news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
    >
    > > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
    > >
    > >>
    > >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
    > >>about Sonicwall, though.
    > >
    > > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    > > network firewall. Hardly a comparison...
    > >
    > > Lars M. Hansen
    > > www.hansenonline.net
    > > Remove "bad" from my e-mail address to contact me.
    > > "If you try to fail, and succeed, which have you done?"
    > >
    >
    >
    > Thanks for pointing that out.
    >
    > However, I wasn't making a comparison, just pointing something out.
    >
    > The point is, there may be something similar for Sonicwall.
    >
    > --
    > *********************************
    > > David Qunt
    > >
    > ****************************************************
  11. Archived from groups: comp.security.firewalls (More info?)

    "David Qunt" <davidqunt@hotmail.com> wrote in message
    news:Xns9507EF38CC249000oooQuntooo000@62.253.162.202...
    > Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    > inside the bumtube of the newstwat in
    > news:rfgmc0916lut4sl36gr987pbop74t10al2@4ax.com:
    >
    > > On Sat, 12 Jun 2004 17:49:15 GMT, David Qunt spoketh
    > >
    > >>
    > >>Such a program exists for ZoneAlarm, it's called VisualZone. Not sure
    > >>about Sonicwall, though.
    > >
    > > ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    > > network firewall. Hardly a comparison...
    > >
    > > Lars M. Hansen
    > > www.hansenonline.net
    > > Remove "bad" from my e-mail address to contact me.
    > > "If you try to fail, and succeed, which have you done?"
    > >
    >
    >
    > Thanks for pointing that out.
    >
    > However, I wasn't making a comparison, just pointing something out.
    >
    > The point is, there may be something similar for Sonicwall.

    http://www.kiwisyslog.com

    It was pointed out and it works with several brands of FW appliances and
    routers.

    Duane :)
  12. Archived from groups: comp.security.firewalls (More info?)

    You might want to consider SonicLogger at http://www.SonicLogger.com for
    your SonicWall.

    Blake
  13. Archived from groups: comp.security.firewalls (More info?)

    JC wrote:


    > What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    > Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
    > exist?
    >
    > TIA.
    >

    Set up the sonicwall to use a syslog server (I believe ALL models
    support this - I have done it with soho3, pro200 and pro4060 models)

    Use kiwi syslogd as the syslog server (do google search for it - free
    download) - can save data in many formats. Including CSV to allow easy
    import to excel.

    use kiwi syslog analyzer to sort the logs for you.

    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  14. Archived from groups: comp.security.firewalls (More info?)

    David Qunt wrote:

    >
    > If you used ZoneAlarm then VisualZone would interpret the logs for you.

    Good idea, replace a high end hardware firewall with a low end software
    based one.

    Geez.


    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  15. Archived from groups: comp.security.firewalls (More info?)

    David Qunt wrote:

    > Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep

    > Thanks for pointing that out.
    >
    > However, I wasn't making a comparison, just pointing something out.
    >
    > The point is, there may be something similar for Sonicwall.
    >

    look at www.mynetwatchman.org. They have a client that reads sonicwall
    entries saved by kiwi syslog, and automatically sends complaints for you.


    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  16. Archived from groups: comp.security.firewalls (More info?)

    Chuck wrote:


    > Use TESP AbuseReporter <http://www.tesp.com/abounce/> to help you find out
    > all details about the responsible ISP, to make a cleanly formatted and
    > informative report, and to email the report.

    If you are lucky you'll only bore the average ISP sysadmin to death with
    those automated abuse reports. If you are unlucky might send you a bill for
    wasting their time since these people normally have other things to do than
    to deal with the protocol excerpts of paranoid people running who run
    packet filters and are unable to make up thier minds themselves about the
    relevance of the output.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind.
    from 'Not one of us', (c) 1980 Peter Gabriel
  17. Archived from groups: comp.security.firewalls (More info?)

    Chuck wrote:

    > On Mon, 14 Jun 2004 22:47:31 +0200, Wolfgang Kueter
    > <wolfgang@shconnect.de> wrote:

    >>If you are lucky you'll only bore the average ISP sysadmin to death with
    >>those automated abuse reports. If you are unlucky might send you a bill
    ^^^^^^^^^

    >>for wasting their time since these people normally have other things to do
    >>than to deal with the protocol excerpts of paranoid people running who run
    >>packet filters and are unable to make up thier minds themselves about the
    >>relevance of the output.
    ^^^^^^^^^^^^^^^^^^^^^^^


    > I word my notices to that effect, and only send notices when I'm probed
    > repeatedly from a given address.

    Obviuosly not what I was talking about.

    Wolfgang
    --
    A foreign body and a foreign mind
    never welcome in the land of the blind.
    from 'Not one of us', (c) 1980 Peter Gabriel
  18. Archived from groups: comp.security.firewalls (More info?)

    On Tue, 15 Jun 2004 07:19:55 +0200, Wolfgang Kueter <wolfgang@shconnect.de>
    wrote:

    >Chuck wrote:
    >
    >> On Mon, 14 Jun 2004 22:47:31 +0200, Wolfgang Kueter
    >> <wolfgang@shconnect.de> wrote:
    >
    >>>If you are lucky you'll only bore the average ISP sysadmin to death with
    >>>those automated abuse reports. If you are unlucky might send you a bill
    > ^^^^^^^^^
    >
    >>>for wasting their time since these people normally have other things to do
    >>>than to deal with the protocol excerpts of paranoid people running who run
    >>>packet filters and are unable to make up thier minds themselves about the
    >>>relevance of the output.
    > ^^^^^^^^^^^^^^^^^^^^^^^
    >
    >
    >> I word my notices to that effect, and only send notices when I'm probed
    >> repeatedly from a given address.
    >
    >Obviuosly not what I was talking about.
    >
    >Wolfgang

    Wolfgang,

    So tell us what you're talking about. If it's relevant to this discussion.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  19. Archived from groups: comp.security.firewalls (More info?)

    "T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:10cs3id15e8uj5e@corp.supernews.com:

    > David Qunt wrote:
    >
    >>
    >> If you used ZoneAlarm then VisualZone would interpret the logs for you.
    >
    > Good idea, replace a high end hardware firewall with a low end software
    > based one.
    >
    > Geez.
    >
    >

    Where exactly did I say he should replace anything?

    And what exactly was the purpose of your post apart from sneer?

    Your next post was quite helpful, in my opinion that would have been
    sufficient.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  20. Archived from groups: comp.security.firewalls (More info?)

    On Mon, 14 Jun 2004 19:47:00 GMT, David Qunt spoketh

    >
    >
    >Yes, and no put down intended to you either, but what a helpful and
    >constuctive post that was from Lars. Calling me on what I said without
    >offering any positive sugestion or advice clearly was of no help to the
    >OP in any possible way whatsoever.

    If someone are looking for high-performance tires for their new Mercedes
    Benz, is it helpful if someone says they know there are high-performance
    tires for bikes?

    The fact that something exists for a different product offers little for
    those not owning that product. If you don't have an answer, either take
    the time to research it (like I did), or refrain from answering.


    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  21. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 16 Jun 2004 02:31:11 GMT, David Qunt spoketh

    >
    >As I understand it this is a public discussion forum. I tried to be as
    >helpful as I could within my own limitations and knowledge.
    >

    I merely pointed out that it wasn't particularly helpful to say that
    product A does for product B what the OP wants done with product C.

    I'd absolutely encourage you to be helpful. There's nothing better than
    having more people knowing and understanding computer and network
    security considering how big this issue is getting. However, I'd
    encourage you to research things a little more before offering your
    help. It only takes 5 minutes to a google search on the topic, and see
    what you get:
    http://www.google.com/search?q=sonicwall+reporting+logging+software&btnG=Search&hl=en&lr=&ie=UTF-8


    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  22. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:95d0d0dm80pj2klr3qksvi5rbjhnoopk3p@4ax.com:

    > On Wed, 16 Jun 2004 02:31:11 GMT, David Qunt spoketh
    >
    >>
    >>As I understand it this is a public discussion forum. I tried to be as
    >>helpful as I could within my own limitations and knowledge.
    >>
    >
    > I merely pointed out that it wasn't particularly helpful to say that
    > product A does for product B what the OP wants done with product C.
    >
    > I'd absolutely encourage you to be helpful. There's nothing better
    > than having more people knowing and understanding computer and network
    > security considering how big this issue is getting. However, I'd
    > encourage you to research things a little more before offering your
    > help. It only takes 5 minutes to a google search on the topic, and see
    > what you get:
    > http://www.google.com/search?q=sonicwall+reporting+logging+software&btn
    > G=Search&hl=en&lr=&ie=UTF-8
    >
    >

    Encouraging me?

    Hmmmm, your first response to the OP was

    "I doubt such a program exists. "

    Did you google to check that first? After my post pointing out one did
    exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
    several brands of FW and routers.

    However, instead of responding as Duane did when he replied to my post, you
    simply sniped this at me:

    "ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    network firewall. Hardly a comparison..."

    Encouragement was not what you were doing there, Lars, despite what you now
    claim. What you did there was cricically lecture me for not much more than
    passing comment.

    Your suggestion of googling may be valid to a certain extent. But if you
    take that to its logical conclusion, any time someone asks a question
    online, or tries to answer one or help out, he or she will be pointed at
    google and told to piss off and look there. But never mind.

    In any event, I would point out that what you said applies equally to the
    OP. And you, for that matter. I would suggest that your advice for me to
    google might be better directed at the OP. He is, after all, the one with
    the Sonicwall firewall, and the log he wants to interpret, and the other
    things he wants to do with it. He is therefore the one who was looking for
    help, which is why I am slightly puzzled why you had a go at me.

    I am merely a passer-by, lurking in here for any useful information, and
    chipping in occasionally. I will probably be doing that less frequently in
    future, despite your sudden change from lecturing to to encouragement, if
    this kind of exchange is the usual result.

    If it's any consolation to you, there is no need to encourage me towards
    google. When I am looking for an answer myself, I usually consult google as
    my first port of all. That is probably why you will not find many posts
    from me asking questions which have already been answered elsewhere. I
    don't use google to research everything I am about to post, and I suspect
    you don't either, as it is simply not practical.

    I still stand by my post insofar as it was intended to be constructive,
    unlike yours - even if what I said was not technically correct, it led
    immediately to Duane pointing out a possible alternative that may do what
    the OP requires. Which is more than you did, preferring to say instead that
    you doubt such a program exists.

    Still, I shall apologise for my utterly miserable failure to be 100% sure
    of my facts all of the time when discussing matters online, especially
    since it's a characteristic shared by about 100% of people at least some of
    the time. I shall think twice about trying to help from now on, so that I
    can avoid stealing 3k of your bandwidth and ruining your utopian ideal of
    how you would like this newsgroup to be run if it were yours to control.

    Best regards
    --
    *********************************
    > David Qunt
    >
    ****************************************************
  23. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 16 Jun 2004 18:23:25 GMT, David Qunt spoketh

    >
    >Encouraging me?
    >
    >Hmmmm, your first response to the OP was
    >
    >"I doubt such a program exists. "
    >

    And I still think you'll have a hard time finding a program that'll take
    the Sonicwall logs (syslog or otherwise), look up who the ISP is
    (accurately), find the abuse e-mail address and list it all nicely.
    However, half the context is missing there, because the next few lines
    says what a number of firewall log analyzers do, and it's not what the
    OP describes.

    >
    >Did you google to check that first? After my post pointing out one did
    >exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
    >several brands of FW and routers.
    >

    Oddly, so did I in the second paragraph.

    >
    >However, instead of responding as Duane did when he replied to my post, you
    >simply sniped this at me:
    >
    >"ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    >network firewall. Hardly a comparison..."
    >
    >Encouragement was not what you were doing there, Lars, despite what you now
    >claim. What you did there was cricically lecture me for not much more than
    >passing comment.
    >

    Yeah, it was a snide remark. You made the same statement twice with
    regards to what is available for a desktop security package which has
    little relevance to original question, despite it being stated already
    by myself and others that the OPs list of requirements for the software
    was probably unrealistic.

    >
    >Your suggestion of googling may be valid to a certain extent. But if you
    >take that to its logical conclusion, any time someone asks a question
    >online, or tries to answer one or help out, he or she will be pointed at
    >google and told to piss off and look there. But never mind.
    >

    I've never suggested "google or piss off", nor do I recall having seen
    anyone else taking the "google is your friend" to any such extremes.

    >
    >In any event, I would point out that what you said applies equally to the
    >OP. And you, for that matter. I would suggest that your advice for me to
    >google might be better directed at the OP. He is, after all, the one with
    >the Sonicwall firewall, and the log he wants to interpret, and the other
    >things he wants to do with it. He is therefore the one who was looking for
    >help, which is why I am slightly puzzled why you had a go at me.
    >
    >I am merely a passer-by, lurking in here for any useful information, and
    >chipping in occasionally. I will probably be doing that less frequently in
    >future, despite your sudden change from lecturing to to encouragement, if
    >this kind of exchange is the usual result.
    >
    >If it's any consolation to you, there is no need to encourage me towards
    >google. When I am looking for an answer myself, I usually consult google as
    >my first port of all. That is probably why you will not find many posts
    >from me asking questions which have already been answered elsewhere. I
    >don't use google to research everything I am about to post, and I suspect
    >you don't either, as it is simply not practical.
    >
    >I still stand by my post insofar as it was intended to be constructive,
    >unlike yours - even if what I said was not technically correct, it led
    >immediately to Duane pointing out a possible alternative that may do what
    >the OP requires. Which is more than you did, preferring to say instead that
    >you doubt such a program exists.
    >

    My posts regarding this subject have been constructive, with the
    exception of this pissing contest with you because you were offended by
    me calling ZoneAlarm a toy...

    >
    >Still, I shall apologise for my utterly miserable failure to be 100% sure
    >of my facts all of the time when discussing matters online, especially
    >since it's a characteristic shared by about 100% of people at least some of
    >the time. I shall think twice about trying to help from now on, so that I
    >can avoid stealing 3k of your bandwidth and ruining your utopian ideal of
    >how you would like this newsgroup to be run if it were yours to control.
    >
    >Best regards

    whatever.

    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  24. Archived from groups: comp.security.firewalls (More info?)

    Lars M. Hansen <badnews@hansenonline.net> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:7j31d01cc3njjqj3j084bsbrltm8rm9fda@4ax.com:

    > On Wed, 16 Jun 2004 18:23:25 GMT, David Qunt spoketh
    >
    >>
    >>Encouraging me?
    >>
    >>Hmmmm, your first response to the OP was
    >>
    >>"I doubt such a program exists. "
    >>
    >
    > And I still think you'll have a hard time finding a program that'll
    > take the Sonicwall logs (syslog or otherwise), look up who the ISP is
    > (accurately), find the abuse e-mail address and list it all nicely.
    > However, half the context is missing there, because the next few lines
    > says what a number of firewall log analyzers do, and it's not what the
    > OP describes.
    >
    >>

    What you fail to understand is that I won't have a hard time finding it,
    because I am not the one looking. The OP was.


    >>Did you google to check that first? After my post pointing out one did
    >>exist for ZoneAlam, Duane responded by highlighting kiwisyslog.com for
    >>several brands of FW and routers.
    >>
    >
    > Oddly, so did I in the second paragraph.


    After making a pointless snipe at me.

    >
    >>
    >>However, instead of responding as Duane did when he replied to my
    >>post, you simply sniped this at me:
    >>
    >>"ZoneAlarm is a toy for desktops, Sonicwall is a professional grade
    >>network firewall. Hardly a comparison..."
    >>
    >>Encouragement was not what you were doing there, Lars, despite what
    >>you now claim. What you did there was cricically lecture me for not
    >>much more than passing comment.
    >>
    >
    > Yeah, it was a snide remark. You made the same statement twice with
    > regards to what is available for a desktop security package which has
    > little relevance to original question, despite it being stated already
    > by myself and others that the OPs list of requirements for the
    > software was probably unrealistic.

    Yes, but that was because I didn't fully appreciate the nature of
    Sonicwall. I have already admitted that I posted within the limitations
    of my knowledge in an attempt to be as helpful as I could. My knowledge
    may not be all it should be, just as it is obvious that there is room for
    improvement in your bedside manner. I was trying to be constructive, and
    your motivation as far as your continuing attitude towards me is
    something different entirely.

    >
    >>
    >>Your suggestion of googling may be valid to a certain extent. But if
    >>you take that to its logical conclusion, any time someone asks a
    >>question online, or tries to answer one or help out, he or she will be
    >>pointed at google and told to piss off and look there. But never mind.
    >>
    >
    > I've never suggested "google or piss off", nor do I recall having seen
    > anyone else taking the "google is your friend" to any such extremes.
    >

    Read back the part of my post which you quoted, and you'll see that I
    didn't quote you as saying that at all. Note the important words, 'if you
    take that to its logical conclusion' It should be fairly obvious that
    what I meant is that if everybody did what you did, you would simply have
    lots of people all pointing other people towards google.


    >>
    >>In any event, I would point out that what you said applies equally to
    >>the OP. And you, for that matter. I would suggest that your advice for
    >>me to google might be better directed at the OP. He is, after all, the
    >>one with the Sonicwall firewall, and the log he wants to interpret,
    >>and the other things he wants to do with it. He is therefore the one
    >>who was looking for help, which is why I am slightly puzzled why you
    >>had a go at me.
    >>
    >>I am merely a passer-by, lurking in here for any useful information,
    >>and chipping in occasionally. I will probably be doing that less
    >>frequently in future, despite your sudden change from lecturing to to
    >>encouragement, if this kind of exchange is the usual result.
    >>
    >>If it's any consolation to you, there is no need to encourage me
    >>towards google. When I am looking for an answer myself, I usually
    >>consult google as my first port of all. That is probably why you will
    >>not find many posts from me asking questions which have already been
    >>answered elsewhere. I don't use google to research everything I am
    >>about to post, and I suspect you don't either, as it is simply not
    >>practical.
    >>
    >>I still stand by my post insofar as it was intended to be
    >>constructive, unlike yours - even if what I said was not technically
    >>correct, it led immediately to Duane pointing out a possible
    >>alternative that may do what the OP requires. Which is more than you
    >>did, preferring to say instead that you doubt such a program exists.
    >>
    >
    > My posts regarding this subject have been constructive, with the
    > exception of this pissing contest with you because you were offended
    > by me calling ZoneAlarm a toy...

    Show me where I asaid I was offended at your comments towards ZoneAlarm.
    I never said I was bothered about that, and I don't particularly care
    what you say about that product at all. I'm not here to defend ZoneAlarm
    in the face of your clearly expressed opinion about its merits or
    otherwise. I've been quite clear that I am 'puzzled' - not offended - by
    your attitude in sniping at me, instead of concentrating on helping the
    OP.

    You do like to presume rather a lot. You were the one starting a pissing
    contest, when you made a comparison between ZoneAlarm and Sonicwall -
    something that I did not do, and yet you accuseed me of.

    >
    >>
    >>Still, I shall apologise for my utterly miserable failure to be 100%
    >>sure of my facts all of the time when discussing matters online,
    >>especially since it's a characteristic shared by about 100% of people
    >>at least some of the time. I shall think twice about trying to help
    >>from now on, so that I can avoid stealing 3k of your bandwidth and
    >>ruining your utopian ideal of how you would like this newsgroup to be
    >>run if it were yours to control.
    >>
    >>Best regards
    >
    > whatever.


    You just can't help yourself with the rudeness and snipes, can you? Feel
    free if it makes you feel any better about your behaviour.


    --
    *********************************
    > David Qunt
    >
    ****************************************************
  25. Archived from groups: comp.security.firewalls (More info?)

    David Qunt wrote:


    >
    > Where exactly did I say he should replace anything?

    He made it clear je was using a sonicwall, not zaone alarm. What exactly
    was the purpose of telling him what he could do with zone alarm if you
    did not mean to imply he should use it instead of the sonicwall?

    >
    > And what exactly was the purpose of your post apart from sneer?

    What was your purpose, then? Your poset seemed downright rude. I
    responded in kind.

    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  26. Archived from groups: comp.security.firewalls (More info?)

    David Qunt wrote:

    > Yes, but that was because I didn't fully appreciate the nature of
    > Sonicwall. I have already admitted that I posted within the limitations
    > of my knowledge in an attempt to be as helpful as I could. My knowledge
    > may not be all it should be, just as it is obvious that there is room for
    > improvement in your bedside manner. I was trying to be constructive, and
    > your motivation as far as your continuing attitude towards me is
    > something different entirely.

    If your knowledge on a given subject is very limited, offering words of
    advice on the subject is not contructive. If you didn't know anything
    about sonicwalls the most helpful thing to do would have been to post
    nothing to the thread.

    --
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
    May be copied freely without the express permission of T. Sean Weintz.
    T. Sean Weintz could care less. T. Sean Weintz does reserve all rights.
    T. Sean Weintz - T. Sean Weintz - T. Sean Weintz - T. Sean Weintz
  27. Archived from groups: comp.security.firewalls (More info?)

    "T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:10d69vsg3hd842b@corp.supernews.com:

    > David Qunt wrote:
    >
    >
    >>
    >> Where exactly did I say he should replace anything?
    >
    > He made it clear je was using a sonicwall, not zaone alarm. What exactly
    > was the purpose of telling him what he could do with zone alarm if you
    > did not mean to imply he should use it instead of the sonicwall?
    >

    I have stated my purpose already in an earlier post. Since you fail to
    understand it, I shall state it again.

    I did not say he should replace Sonmicwall with ZoneAlarm. Instead I was
    simply suggesting that if a product existed that allowed you to interpret
    logs for one firewall then it was entirely possible, and even likely that
    such a product existed for another one.

    >>
    >> And what exactly was the purpose of your post apart from sneer?
    >
    > What was your purpose, then? Your poset seemed downright rude. I
    > responded in kind.
    >

    You did not respond in kind, because my post was not rude.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  28. Archived from groups: comp.security.firewalls (More info?)

    "T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:10d6ap668d9t053@corp.supernews.com:

    > David Qunt wrote:
    >
    >> Yes, but that was because I didn't fully appreciate the nature of
    >> Sonicwall. I have already admitted that I posted within the
    >> limitations of my knowledge in an attempt to be as helpful as I
    >> could. My knowledge may not be all it should be, just as it is
    >> obvious that there is room for improvement in your bedside manner. I
    >> was trying to be constructive, and your motivation as far as your
    >> continuing attitude towards me is something different entirely.
    >
    > If your knowledge on a given subject is very limited, offering words
    > of advice on the subject is not contructive. If you didn't know
    > anything about sonicwalls the most helpful thing to do would have been
    > to post nothing to the thread.
    >

    I disagree. See my earlier post today as to why.

    You cannot tell me what I can and cannot post.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  29. Archived from groups: comp.security.firewalls (More info?)

    "T. Sean Weintz" <sean@snerts-r-us.org> squirted these wordjisms deep
    inside the bumtube of the newstwat in
    news:10cs3id15e8uj5e@corp.supernews.com:

    > David Qunt wrote:
    >
    >>
    >> If you used ZoneAlarm then VisualZone would interpret the logs for you.
    >
    > Good idea, replace a high end hardware firewall with a low end software
    > based one.
    >
    > Geez.
    >
    >

    Those are your words, not mine. I did not suggest replacing one with
    another.

    --
    *********************************
    > David Qunt
    >
    ****************************************************
  30. Archived from groups: comp.security.firewalls (More info?)

    Try Sawmill.

    http://www.sawmill.net/

    Joe

    "Chuck" <none@example.net> escribió en el mensaje
    news:38dmc0dgbse3rhs7e5kgbkb2bjrfgg4qi7@4ax.com...
    > On Sat, 12 Jun 2004 16:08:17 GMT, Lars M. Hansen
    <badnews@hansenonline.net>
    > wrote:
    >
    > >On Sat, 12 Jun 2004 12:06:02 +1000, JC spoketh
    > >
    > >>
    > >>How do you deal with the firewall logs?
    > >>
    > >>What would be useful would be a program that will read the log file,
    preferably in XLS format, and spit out a summary along the lines of ISP
    Name,
    > >>Abuse email address, Source URL, Date & Time sorted on ISP name, Source
    URL and Date & Time if multiple entries are detected. Does such a program
    > >>exist?
    > >>
    > >>TIA.
    > >
    > >I doubt such a program exists. Firewall log analyzers are available
    > >that'll show daily traffic trends (blocked inbound/outbound and where
    > >traffic are going). However, I know of none that'll look up abuse e-mail
    > >addresses and/or check which ISP an IP address is associate with.
    > >
    > >For better logging with the Sonicwall, I recommenced using a syslog
    > >server. You can either set up a linux box to do this, or get a free copy
    > >of Kiwi Syslog Daemon from www.kiwisyslog.com. With this, you can log to
    > >any ODBC database you want, and with some skills, you can create report
    > >(i.e. in MS Access) to tell you what's going on...
    > >
    > >Lars M. Hansen
    > >www.hansenonline.net
    > >Remove "bad" from my e-mail address to contact me.
    > >"If you try to fail, and succeed, which have you done?"
    >
    > Use the firewall logging program of your choice, and extract the IP
    address in
    > question.
    >
    > Use TESP AbuseReporter <http://www.tesp.com/abounce/> to help you find out
    all
    > details about the responsible ISP, to make a cleanly formatted and
    informative
    > report, and to email the report.
    >
    > Cheers,
    > Chuck
    > Paranoia comes from experience - and is not necessarily a bad thing.
Ask a new question

Read More

Firewalls Internet Service Providers Networking