[Dshield] Sonicwall / Netgear...

Joe Kaiping kaiping at phreedom.com
Sat Nov 3 17:22:56 GMT 2001


Hi there,

I recently installed a Netgear FR314 firewall router for my home network.
It only logs attempts to get into closed ports and a port is either open or
closed to the entire internet.  You can't restrict/allow access from certain
external IPs or IP ranges.  But I still get a fair amount of log messages
about ports 111, 515, 1243, and others.

It can be configured to email logs and/or alerts to a single email address.
(I tried to have it send to 2 addresses, but didn't get it to work.)
Creating a mail alias that contains multiple emails works fine, though.

Below is an example log file that it mails out.  One of the big drawback
from these logs is that the time zone isn't included.  Not sure if that is
going to be a problem or not.  Perhaps that info can be gotten from the mail
header of the sending mail server since it seems to usually include the GMT
offset.

I'm work with Perl often, but haven't had a chance to look at the parser
that been sent around.  If you'd like me to adapt (the/an) existing parser
or create a new one that can handle this data format, just let me know and I
could probably get to it early next week.

Have a good one,
-Joe

========

From: kaipingfwlogs at phreedom.com
Sent: Saturday, November 03, 2001 9:31 AM
To: kaipingfwlogs at phreedom.com
Subject: Log file from NETGEAR [0030AB04CDDB]

NETGEAR Firewall 0030-AB04-CDDB Log (part 1) dumped to email at 11/03/2001
09:30:49.752
11/02/2001 10:00:02.224 - 	Log successfully sent via email
11/02/2001 15:28:10.160 - 	TCP connection dropped - 	Source:65.2.239.45,
4925, WAN - 	Destination:xx.xx.xx.xx, 27374, LAN - 	 - 	Rule 0
11/02/2001 16:19:55.928 - 	Sending DHCP REQUEST (Renewing). -
Source:xx.xx.xx.xx, 17408 - 	Destination:24.1.240.45, 17152 - 	xx.xx.xx.xx -
11/02/2001 16:19:56.176 - 	DHCP Client got ACK from server. -
Source:24.1.240.41, 17152 - 	Destination:xx.xx.xx.xx, 17408 - 	xx.xx.xx.xx -
11/02/2001 17:41:54.240 - 	TCP connection dropped - 	Source:65.25.2.98,
4169, WAN - 	Destination:xx.xx.xx.xx, 27374, LAN - 	 - 	Rule 0
11/02/2001 18:22:28.560 - 	TCP connection dropped - 	Source:61.32.33.9,
2882, WAN - 	Destination:xx.xx.xx.xx, 111, LAN - 	'Sun RPC' - 	Rule 0
11/02/2001 18:42:19.160 - 	TCP connection dropped - 	Source:65.35.60.222,
3937, WAN - 	Destination:xx.xx.xx.xx, 27374, LAN - 	 - 	Rule 0
11/02/2001 19:51:29.096 - 	TCP connection dropped - 	Source:65.5.156.17,
3711, WAN - 	Destination:xx.xx.xx.xx, 27374, LAN - 	 - 	Rule 0
11/03/2001 03:59:46.384 - 	TCP connection dropped - 	Source:216.25.10.85,
4780, WAN - 	Destination:xx.xx.xx.xx, 111, LAN - 	'Sun RPC' - 	Rule 0
11/03/2001 04:35:49.704 - 	TCP connection dropped - 	Source:210.58.102.81,
1695, WAN - 	Destination:xx.xx.xx.xx, 111, LAN - 	'Sun RPC' - 	Rule 0
11/03/2001 09:22:42.368 - 	Successful administrator login -
Source:192.168.0.3, LAN - 	Destination:192.168.0.1 - 	 -


> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Johannes B. Ullrich
> Sent: Friday, November 02, 2001 6:32 AM
> To: dshield at dshield.org
> Subject: [Dshield] Sonicwall / Netgear...
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi.
>
>   A quick notice about Sonicwall and Netgear routers. They both
> have the ability to email an administrator about "policy violations".
>
>   For sonicwall logs, you can send them directly to
> 'sonicwall at dshield.org' to have them included. The Sonicwall
> setup should
> allow you to manipulate the Subject line of this email. Set
> it to show
> your userid.
>
>   This feature is still somewhat experimental. So let me know
> how it goes.
>
> Netgear:
>
>   Some Netgear routers appear to have a similar feature. Does
> anyone own
> one? If so, I would be interested in looking at the emails to
> see if we
> can support them like the SonicWall emails.
>
>
> - --
> - -------
> jullrich at sans.org                    Join http://www.DShield.org
>                           Distributed Intrusion Detection System
>




More information about the list mailing list