Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind

[netmenu.html]

Privacy Feedback

Log Analyzer.

Updated 6/12/03

A minor bug in the script caused "port attacks" identified as ICMP to show up with no port number. This has been fixed in version 1.05. ICMP probes are now identified as such in the report. 

Also, a "-d" (or "--dns") switch has been added to resolve IP addresses to hostnames. This is a somewhat slow process...

Updated 3/4/03

I wrote a small perl script to make it easier to read the log files you get when using the syslog feature on the Symantec Firewall/VPN appliance. Reading through the logs are not a pleasant experience, but with simple perl script, the events of the past days can easily be summarized. 

The output looks like this:

------------------------------------------------
Total Number of port scans logged: 742
------------------------------------------------

Port Scans per day
------------------
Feb 10          63
Feb 11          24
Feb 12          65
Feb 13          30
------------------
Ports hit
------------------
445            110
1434           105
1433            76
17300           68
27374           36
------------------
Port Number: 445
   IP:     24.80.252.14      2
   IP:   65.201.237.169      2
   IP:   65.210.180.200      2
   IP:     61.93.33.187      2
   IP:    61.242.83.247      2
Port Number: 1434
   IP:   213.115.144.70     16
   IP:    64.156.191.52     12

Since this is just a quick sample, some of the entries have been cut to shorten things up.

Download firewall.pl

The script is written in perl, and should run on *nix boxes and Windows boxes alike (assuming you have perl installed). The default logfile name may have to be changed to accommodate for your settings, or you can simply use the '-l <filename>' argument.

Usage:   firewall.pl [-l <name>] -n <lines> -p -d

-l  <name>: name of file to report on.
-n <lines>: number of lines in the ports hit and IP address list. Default is 10./
-p : Display "Ports hit" section only.
-d : DNS lookup. Performs a reverse DNS lookup of all IP addresses. Note that although DNS entries are cached, this lookup does slow down the reporting. Also, some of the long names might make a mess of the output.