Good free personal firewall log analyser

Hi Folks

Symantec have a very good firewall log analyser that you can download from their site for free from . It sends your logs on a daily basis to Symantec where they are analysed and an email is sent back to you within 24 hours. The email is in plain english and tells you what type of attacks/probes your firewall recorded. It works with the most popular personal firewalls such as Zonealarm and Windows XP built in firewall.

I have used it and found it to be very useful. I also believe they have a version for device firewalls but am not sure if it is free.

By the way I have no association with Symantec.

C

firewall

hi capaill,

Would you mind posting an excerpt from the mail they sent you back to give us an example?

Where there many incidents in total?

Anyone interested in this might find some interesting reading on the irish [broken link removed] site.

Re: firewall

Hi Car

Here is the excerpt from one email I received from Symantec. I have tried to preserve the formatting, apologies if it is lost in translation to the board.

C

-----Original Message-----
From: analyzer@symantec.com [mailto:analyzer@symantec.com]
Subject: Symantec DeepSight Analyzer Scheduled Summary (76 new events).


DeepSight Analyzer Daily Summary
Event Activity Report for capaill.
Date Range: 2/19/2005 11:35:50 AM - 2/20/2005 11:00:00 AM GMT

Time of last upload: Feb 20 2005 10:49AM
New events since last report: 76
Total number of events reported: 493
Number of new distinct attacking IP's: 57

Top Attacks Since Last Report Severity Count Last Event Date
-------------------------------------- -------- ----- ------------------
Generic Connection Denied Event Low 76 2/20/05 9:00 AM

Top 7 Attacking IP's # Events
-------------------------------------- -----------
195.218.21.171 3
195.218.26.50 3
195.218.27.37 3
195.218.29.12 3
67.18.222.234 2
70.68.45.96 2
169.254.176.108 2

Top 5 Attacking Countries # Events
-------------------------------------- -----------
Luxembourg 26
United States 18
United Kingdom 9
Ireland 6

Top 7 Targeted Ports # Events
-------------------------------------- -----------
445 (microsoft-ds ) 58
139 (netbios-ssn) 4
137 (netbios-ns) 3
6346 (gnutella-svc ) 3
1026 (unknown) 1
1027 (unknown) 1
2428 (ott ) 1

..

thanks for that capaill. very interesting.

Be interested to see what symantec determine as an actual attack. i.e, In stats Ive read from the honeynet, when breaking up statistics, they make no distinction between a failed login due to an incorrect password and an actual attempted hack, although they do make this point clear.


With similar in mind are you running any P2P programs, I see a gnutella port attack in there, I wonder is an incoming search of your shared drive recognised as an attack?

Will investigate further anyway. nice one.

There was a great article in the business post a few months ago on the honeynet where they discovered that a large percentage of attempted hacks came from IPs that were assigned to corporates in Ireland. Inferring people are sitting on their company laptops at home (or in the office), and were attempting illegal actions using company property, completely oblivious to the fact that they could be opening their employers to all kinds of legal action. A quick whois on some of the IPs in your log may determine same if youre interested and wish to report abuse....

Re: ..

Hi Car

The Irish Honeynet project has it's website [broken link removed].

With regards the above logs, no I am not running any P2P applications.

Don't forget that corporate machines can be compromised without the user knowing about it. Especially laptop users who take their laptops home and connect onto the net without taking any precautions. Indeed I have consulted on a number of sites where the customer did not even have a firewall in place and of those that did, few of them knew how to manage it.

Have done the abuse thing before and to be honest most network admins don't even acknowledge the request. From time to time I use www.dshield.org to report persistent troublesome IPs. Dshield is a well reputed centralised attack correlation centre that takes information in from people aprund the world and then reports persistent abusers to thie ISPs/network admins for action.

C

Re: firewall

The email is in plain english and tells you what type of attacks/probes your firewall recorded.

...

From: analyzer@symantec.com [mailto:analyzer@symantec.com]
Subject: Symantec DeepSight Analyzer Scheduled Summary (76 new events).

DeepSight Analyzer Daily Summary
Event Activity Report for capaill.
Date Range: 2/19/2005 11:35:50 AM - 2/20/2005 11:00:00 AM GMT

Time of last upload: Feb 20 2005 10:49AM
New events since last report: 76
Total number of events reported: 493
Number of new distinct attacking IP's: 57

Top Attacks Since Last Report Severity Count Last Event Date
-------------------------------------- -------- ----- ------------------
Generic Connection Denied Event Low 76 2/20/05 9:00 AM

Top 7 Attacking IP's # Events
-------------------------------------- -----------
195.218.21.171 3
195.218.26.50 3
195.218.27.37 3
195.218.29.12 3
67.18.222.234 2
70.68.45.96 2
169.254.176.108 2

Top 5 Attacking Countries # Events
-------------------------------------- -----------
Luxembourg 26
United States 18
United Kingdom 9
Ireland 6

Top 7 Targeted Ports # Events
-------------------------------------- -----------
445 (microsoft-ds ) 58
139 (netbios-ssn) 4
137 (netbios-ns) 3
6346 (gnutella-svc ) 3
1026 (unknown) 1
1027 (unknown) 1
2428 (ott ) 1

I doubt that many non computer professionals would consider the report above to be "plain English" to be honest.