November 10th, 2001, 05:38 PM
ZoneAlarm Pro Logs
I need some program that sits between ZAPro and the internet (outside the firewall, not the local side of it) and logs EVERYTHING. ZAPro only gives me a log of 75 alerts at a time, and when it's full the logging of other alerts doesnt happen.
So, what i need, is something that sits outside ZAPro and logs everything, but doesnt stop anything... I'll leave the actual firewalling to ZAPro, i just want a logging client that logs absolutely everything, including internet traffic that does get through, so that if ZAPro logs show something unusual,. I can check the other logs for a fuller idea of what's been going on...
Also, I run Apache for Windows, serving a web site to my local network (on 10.x IP addresses). It does, however, seem to accept connections from the internet, evben though ZAPro has been set to deny access to it from the net. The only way I've found of dealing with this is to block incoming connections to port 80 from computers in the "internet zone", but im not sure if even that works properly. Again, anyone got any suggestions?
Thanks in advance for your help!
November 10th, 2001, 07:31 PM
I would suggest setting up a snort session. www.snort.org
This will allow you to capture all/(or any that you choose) packets traversing your network.
Can't help with the zonealarm side, I use tiny personal software's firewall which logs all traffic on each machine per rules I create.
I\'m not a BOT I\'m a beer droid!
Prepare to be Assimilated.
November 10th, 2001, 07:47 PM
I think I've sorted out the ZA Pro Port 80 problem, just blocking Internet connections to 80 does work, but I was testing it from my own machine, which, of course, will also send the 10.x IP, so will be seen as local.
A ShieldsUp! test at www.grc.com didn't reveal port 80 open, so that's OK.
Thanks for the advice about snort, I'll (try to) use that to log everything now, so that in the event of a problem I can check those logs for more detailed info on what exactly was happening on the network.
My question now is does it know the difference between an internet connection and a LAN connection (i.e. can it be set to log LAN traffic to a different file than traffic through the dial-up adapter?)
Also, tiny personal software's firewall was an option i tried for a while alongside ZAPro, and i found that ZAPro came up with alerts and blocked stuff when tiny softwares firewall just let it straight through... could've been my configuration of it, but the same thing was experienced with norton personal firewall... ZAPro blocked stuff that the others ignored...
November 11th, 2001, 02:46 AM
Okay, I ran Zone Alarm Pro for a couple years, and was extremely happy with it (still am !!) But after Code Red, and Nimda and 600 hits in one day; decided to increase my security.
I put in a Linksys router/firewall (still ran ZAPro, till I was satisfied).
Enabled 'logging' on the Linksys, and installed Wall Watcher to monitor what was happening. IP address, port, etc are recorded for current, and saved daily for later viewing.
BTW....my ZAPro had no limit to the number of inbound messages.