From owner-freebsd-questions  Fri Mar  2  0:27:50 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-158.dsl.lsan03.pacbell.net [63.207.60.158])
	by hub.freebsd.org (Postfix) with ESMTP id 6C25F37B718
	for <questions@freebsd.org>; Fri,  2 Mar 2001 00:27:45 -0800 (PST)
	(envelope-from kris@obsecurity.org)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 06C2D66EED; Fri,  2 Mar 2001 00:27:44 -0800 (PST)
Date: Fri, 2 Mar 2001 00:27:44 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Ben <ben@cahostnet.com>
Cc: questions@freebsd.org
Subject: Re: Firewall Monitoring
Message-ID: <20010302002744.A48587@mollari.cthul.hu>
References: <001f01c0a24d$9fcb3490$6102a00a@nhqadmin17>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="zYM0uCDKw75PZbzx"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <001f01c0a24d$9fcb3490$6102a00a@nhqadmin17>; from ben@cahostnet.com on Thu, Mar 01, 2001 at 07:46:21AM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Mar 01, 2001 at 07:46:21AM -0500, Ben wrote:
> I have a 4.2-STABLE bsd server running ipfw and nat.  I will like to
> monitor firewall activities on the box.  What is the best way to do
> this?  I will like to do this live, see packets as they travel to and
> from the firewall.  Also I will like to run monthly reports on the
> firewall using log files of course.  Any help will be appreciated.

If you're looking for something which reports suspicious traffic, you
can't go past snort (see ports collection) with the ArachNIDS ruleset
from www.whitehats.com/ids

It's not a firewall, but complements one by telling you exactly what
noteworthy packets were being sent your way, and recognising a wide
range of attack/probe signatures.

As for the firewall analysis, it's not that hard to parse information
out the of logs made from ipfw to syslog.

Kris

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6n1mAWry0BWjoQKURAkGRAJ9C479SRnsUDdHOGNtl/MJjSawjTQCghjlX
xFX25EQ5qXGTZF9sqAKfwZ8=
=5uiL
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message