- General Information on Configuring Your Firewall to Work With DShield
- Agnitum Outpost
- Asante Friendlynet, D-Link and SMC Barricade routers using Routerlog
- D-Link DI-704P Router using Kiwi Syslog Daemon
- D-Link DI-804V Router using Kiwi Syslog Daemon (Also works with Asante FriendlyNet VR2004AC, VR2004C router)
- Kiwi Syslog Daemon
- Linksys Routers
- McAfee Personal Firewall
- Microsoft ISA
- Norton Internet Security and Personal Firewall 2002, and earlier
- Norton Personal Firewall 2003
- Norton Personal Firewall (Manual Export)
- Trend Micro PC-Cillin
- Smoothwall using Kiwi Syslog Daemon
- Sygate Personal Firewall
- Watchguard (using Kiwi Syslog Daemon)
- Windows XP Internet Connection Firewall (ICF)
- ZoneAlarm 3
GENERAL INFORMATION ON CONFIGURING YOUR FIREWALL TO WORK WITH DSHIELD
CVTWIN reads the firewall that your firewall program generates and writes somewhere on your hard disk. When you configure CVTWIN, you need to tell it two things:
- The name of the firewall (so that CVTWIN knows what converter to use.)
- Where the firewall logs is (so that CVTWIN knows what file to open.)
Important Note Some firewalls require that you do a manual procedure to "export" the firewall log before you run CVTWIN. If your firewall works like this, then you cannot set up CVTWIN to run automatically (as is otherwise indicated in the documentation.) Currently, this applies to Norton Internet Security (Norton Personal Firewall) and the Sygate Personal Firewall.
We have provided information on how to do this for certain firewalls. If your firewall isn't listed in this documentation, it is because we wrote the converter based on sample logs that a user submitted, but don't have any personal knowledge of using the firewall. So, look through the firewall's own configuration dialogs and find out where it writes its log. If you feel that the procedure is complicated enough that others would benefit from knowing how to do this, then please write to firstname.lastname@example.org and give us a brief summary of how to do this. Thanks.
There are two methods of exporting logs from Agnitum Outpost. First try this method:
First make sure that the log is in the required format
In the Agnitum Outpost Main Window, select Blocked in the left pane under My Internet, and then either F7 or click on Show Detailed Log in the right pane. From the View drop down menu select Add/Remove columns and make sure there is a tick every check box (for all fields that are required.) Check that the list is in the following order. This is the default order and the Reset button should leave them in this order. There are Move up and Move down buttons if you need to rearrange the field order.
Required fields are in bold
When finished, click OK. Select Customise from the View drop down menu and ensure that show port as bullet point is on a number and not on a name. Click OK.
Then export the log so that CVTWIN can convert it
Important! Agnitum Outpost doesn't log the date if it is the current day. CVTWIN, not being clairvoyant, will assume that a missing date is for the current day. So make sure to to convert immediatly after exporting. So that the date that CVTWIN adds will be correct.
In the Agnitum Outpost Main Window select Blocked in the left pane under My Internet then either F7 or click on Show Detailed Log in the right pane.
Right click on blocked connections (in the right pane) and select Export from the menu to export the file, enter a filename in the Save as... dialogue box and click OK. Configure CVTWIN to use this file.
(The Save As box defaults to c:\, which is a bit of a pain but I can't see how to change it.)
Thanks to John Ridd for these instructions.
If this doesn't work for you, then try this method:
Read this document.
Thanks to Xavier Forest for contributing this! Xavier adds this as a summary:
I think the best solution is to send the logs to DShield - during the current Web session - by copy/paste protect.log to a new folder , configure cvtwin to look for the new protect.log and send it.
But make sure to read the full instructions.
CVTWIN's Agnitum Outpost converter should work with logs that are exported using either of these methods.
ASANTE FRIENDLYNET, D-LINK, AND SMC BARRICADE ROUTERS USING ROUTERLOG
All of these routers share the same chipset and can use RouterLog to extract their logs into a diskfile. Get RouterLog from http://homepage.ntlworld.com/nitech/routerlog/ Install RouterLog and configure it to
[x] Auto-Start Session [ ] Alert on Intrusion [x] Log intrusion only [x] Log to file (router) [x] Run animation until [x] Remember last date [x] Launch at Windows startup [x] Include GMT in Log file [x] Windows Format
It should produce log lines that look like:
January 05, 2002, 05:14:14 PM - Unrecognized access from 126.96.36.199:110 to TCP port 13647 ( 2002/01/06 - 01:14:14 GMT )
Edit -> Configure in CVTWIN and select "RouterLog" and set the Logfile to point to the file that RouterLog produces.
Make sure to use attack-list.csv as the log file to convert. Look for it in "C:\Program Files\Network Ice\BlackIce"
SMOOTHWALL USING KIWI SYSLOG DAEMON
You must configure Smoothwall so that it logs to an external syslog. To do this, open a shell to your Smoothwall. You can do this from the web interface. Or SSh to your Smoothwall machine using port 222. Change to /etc (cd /etc) Edit syslog.conf (joe syslog.conf) and addkern.info @192.168.1.xxx
to the end of syslog.conf. @192.168.1.xxx is the IP address of the machine that is running Kiwi Syslog Daemon. Make sure to use tabs and not spaces between kern.info and @192.168.1.xxx Save and exit (Ctrl-KX) Close the shell and restart Smoothwall.
Now install Kiwi. Check Rules/Actions/Log to files to see that it is configured to use the
"Kiwi format ISO yyyy-mm-dd (Tab Delimited)" log format (the default.) Kiwi should now be logging your Smoothwall logs.
When you configure CVTWIN, the default location for Kiwi's log is
Thanks to Paul Doig for helping with this.
Your router must be installed and working. Go into the configuration panel ( http://192.168.1.1 ) and click on the "Log" tab. Check "Enable". Then set the IP address to the address of your computer.
(If you don't have a "Log" tab, or if you can't get it to work, then you probably need to upgrade your router's firmware. Go to Linksys's web site and follow the directions there to upgrade your firmware.)
You have a choice between using SNMP Trap Watcher, Kiwi Syslog Daemon, or the Linksys LogViewer to capture the log information from your router and write it to a disk file. They all work--the difference is whichever one you prefer.
LINKSY ROUTER WITH KIWI SYSLOG DAEMON
Information on setting up Kiwi Syslog Daemon to work with a Linksys router is here.
LINKSYS ROUTER WITH LOGVIEWER
If you want to use Linksys LogViewer, download it from ftp://ftp.linksys.com/pub/befsr41/logviewer.exe Download and run logviewer.exe to install. It will show up in your start menu as "LogViewer"
Start LogViewer and click on "Save Logs." Make sure that "Append the logs to the existing file" and "Automatically save the logs into the files" are checked. Change the file sizes for the incoming and outgoing files to as large as you can. Uncheck "stop logging when logs exceed the specified filesize." Note the path/filename of the incoming filename so that you can enter it in CVTWIN's configuration dialog.
Start CVTWIN. Select "Edit/Configure" and change the firewall to "Linksys LogViewer" Use the Browse button to open the file dialog and select the "Incoming" LogViewer file. Let LogViewer run until there are entries in the Incoming log. Then you should be able to use CVTWIN to convert to DShield format. See the CVTWIN docs, above, for other information.
Note: When you check "Append the logs to the existing file" and "Automatically save the logs into the files" in Logviewer, it is *supposed* to do this. But it might not. You might have to manually start LogViewer and go into "Save Logs" and click on "OK" before it actually appends the most recent log lines to the log file on disk. You might have to do this once a day. If this becomes a problem, you might consider switching to SNMP Trapper, below.
Important Note: When Logviewer logs exceed the size that is set in LogViewer's "Save Logs.../Incoming Filesize", Logview will stop stop saving logs. You must stop Logviewer by right clicking on its taskbar icon and select "Exit." Then rename or delete Incoming.log and Outgoing.log in C:\Program Files\LogViewer\. Then restart LogViewer.
LINKSYS ROUTER WITH SNMP TRAPPER
SNMP Trapper is a free application that is available from http://www.bttsoftware.co.uk/snmptrap.html Download the Zip file and unzip it in a directory. This documentation will assume that you unzip it in C:\SNMPTrap. Create a shortcut to SNMPTRAP.EXE Start SNMPTRAP.EXE.
In the 'Log' tab of the Linksys configuration panel, click on "Apply". If SNMP Trap is working then it should display "system is ready" And "system is warm start". SNMP Trap should now start logging any accesses that your router detects (and blocks). But you need to configure SNMP Trap to save the log to a disk file.
Click on Settings/Setup. Make sure that "Log Traps to a file" is checked. Change "Maximum Entries" to a high number (5,000, or so.) (Optional. You may want to check "Enable Specfic Filtering". Switch to the Filter Options" panel and add '@out' and set it to exclude so you aren't logging your own outgoing activity.)
SNMP Trap Watcher should now be "trapping" the log activity that your router is creating. It also should be writing this log to a disk file. CVTWIN will do the rest of the job of reading this log file and submitting new entries to DShield. Choose "Linksys" in CVTWIN to use SNMP Trapper logs.
MCAFEE PERSONAL FIREWALL
Versions 3 and earlier
Supports the current (Version 3) version in addition to the previous version. Select "McAfee Version 3" for the version 3. Use "McAfee (Older)" for previous versions.
For the newer version, select a log file with a file name that looks like "Archive01-03-02.elog." Look for this file in the "C:\Program Files\McAfee.com\Personal Firewall\Archive" directory.
Version 4 and newer
You must manually export your log to an ASCII file. Then configure CVTWIN to use the log you just exported. Select "McAfee Version 4". Note that because you must manually export your log each time, you can't put CVTWIN on the Windows Task Scheduler.
NORTON INTERNET SECURITY AND FIREWALL
Documentation on how to configure Norton to work with CVTWIN is here
Trend Micro PC-Cillin
In Edit/Configure, set Firewall to "PC-Cillin."
PC-Cillin writes a separate log file for each day. CVTWIN knows about this and will look for files that are named according. The sticky part is that CVTWIN was designed such that the 'Logfile' field (above) must contain a known path and file. This creates a problem if you use one of these filenames as 'Logfile', because the filenames are created anew each day and old ones are very likely are erased (eventually.)
The workaround is to create a dummy 'placeholder' file in the directory that PC-Cillin will create its log files. CVTWIN will use the path part of the 'Logfile' setting to find the directory where the log files are. If CVTWIN autoconfigured itself correctly this dummy file will have already been created (and should appear in the 'Logfile' field.)
SYGATE PERSONAL FIREWALL
- Export traffic log when you open up the traffic log. Name
the log, and put it in anywhere you wanna store. My
recommendation is to make a folder named "logs" under "My
Documents", and then throw the logfile into the folder.
- Open up the Dshield client and modify those parameters:
- Last saved rule date/time ... What are converted in the last
conversion. This should be automatically set when you send the log to email@example.com, but it is good to verify this, because this date/time is compared agains when CVTWIN is processing, so that it doesn't send in log lines that you have already sent in.)
- SMTP Server: IP or FQDN of the server you use as SMTP. (The same thing that your email program is configured to use as it's SMTP server to send email.)
- Type... Sygate (dropdown list)
If you need, you can login to DShield and check.
- Thanks to Kenji Yamamoto for contributing this.
WINDOWS XP INTERNET CONNECTION FIREWALL (ICF)
Information on setting up Windows XP Internet Connection Firewall (ICF) is here.
Information on setting up ZoneAlarm is here.
Return to the CVTWIN Documentation page.