[Dshield] Kiwi Syslog vs ZoneAlarm

Thomas Liston tliston at premmag.com
Mon Jul 8 13:54:45 GMT 2002


Neil-

Your assumption that ZA can be used to monitor your network is 
flawed.  ZA is built for the "end user", and does not have a true 
"reporting mechanism", as a network administrator would understand 
the term.  It silently deals with many things, in order not to 
disturb the "end user." 

Now I'm not saying that ZA's design is a bad thing, but it is 
certainly targetted at the "average Joe", not at the network admin.  
You need to remember its intended audience is being shielded from 
much of the goings on "under the hood."

-TL

> On Sun, Jul 07, 2002 at 11:40:16PM -0700, Neil Richardson wrote:
> > Hello.
> > 
> >     I hate to bother everyone with this, but I'm a bit out of my depth and 
> > would greatly appreciate some advice...
> > 
> >     I typically use ZoneAlarm (Personal, set to stealth-mode) for my 
> > firewalling needs.  However, ZA does not record the contents of the packet, 
> > merely the packet stats (To, from, to-port, from-port, etc.)  I also am 
> > using a NetGear router, which has it's own built-in firewall.  I am trying 
> > to set up the NG firewall to monitor particularly important ports (like 80) 
> > and send the firewall log--packet data and all--to my monitoring 
> > machine.  At the suggestion of Wayne (IIRC), I installed Kiwi Syslog Daemon 
> > on one of my internal machines (because the router sends it's logs in 
> > syslog format via UDP).
> > 
> >     For the moment, I have set NG to monitor a port I get the most blocked 
> > packets on (1433), log any traffic it gets, but then pass it through.  A 
> > machine with ZA and Kiwi are sitting in the DMZ, so the packet falls in 
> > there and gets killed by ZA.  This way, I can compare the ZA log to the NG 
> > log and make sure that NG correctly identified all the packets on that port 
> > (and that I haven't misconfigured anything).
> > 
> >     So far, packets logged in ZA are also logged by NG, but I noticed 
> > something strange: whenever a connection attempt is made, NG registers 
> > *three* identical packets: the second one ~3 seconds after the first, and 
> > the third one ~5 seconds after the second.
> > 
> >     My first thought was that it was the three packets involved in a 
> > standard TCP handshake, but there are three problems with this: A) The 
> > 'source' and 'dest' ports would change for the second one, B) ZA is 
> > dropping the packets, not allowing the handshake, and C) the payload should 
> > be different (or empty).  However, it seems that every packet has an 
> > identical payload of 8 characters.
> > 
> >     Here is the most recent example from my logs (abbreviated due to 
> > excessively long lines.  My router is named BigMouth, and the listening 
> > machine is at 192.168.0.2):
> > 
> > ---------- Begin Excerpt ----------
> > 7-7-02 23:19:54  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
> > spo=02353 dpo=01433]}S04>R01mF
> > 7-7-02 23:19:48  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
> > spo=02353 dpo=01433]}S04>R01mF
> > 7-7-02 23:19:45  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
> > spo=02353 dpo=01433]}S04>R01mF
> > ---------- End Excerpt ----------
> > 
> > 
> >     If anyone could suggest A) Why NG sees 3 packets but ZA only sees 1, or 
> > B) why the packet data is always "S04>R01mF" I would greatly appreciate it.
> > 
> > 
> > Thanks!
> > 
> > -Neil R.
> > 
> > -- 
> > Supreme Lord High Commander and Keeper of the Holy Potato
> > ----------
> > Random thought for the day:
> > 
> >     I'm not crazy!  I'm "reality impaired"...
> > 
> > 
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston at premmag.com
tliston at hackbusters.net




More information about the list mailing list