pick your brains?
Results 1 to 8 of 8

Thread: pick your brains?

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786

    pick your brains?

    Im working on a plan to monitor all remote locations on a vpn. Its kinda silly I guess but id like to make it work.

    What I had in mind was putting one of the free firewalls on each location and log everything but block nothing. Their all behind firebox sohos so blocking or being the latest and greatest isn’t an issue. configure logging to send syslog messages to a syslogd in my office. Their I can querry the log in a number of ways. I now have the sohos set up to do this which is really rather pointless but I get bored and come up with these hairbrain ideas

    I have an old version of tiny which would work great for this, set it up on one computer the way I want then copy the ini to all.

    Id like to get some feedback on this if I could. Maybe someone has a better idea. if it works and i can present useful reports i can then convince them they need to buy the newest software to avoid the boy scouts of america's wrath (BSA) and if not well i had fun.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    quick question
    are you going to try to use real time logging or a once a day download?

    if it works out please post the results of your test.
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    im not sure what you mean by real time. as it is now the fireboxs send each messages they create to the syslog server (kiwi). the messages arrive in real time if thats what you mean. i can view the syslog as it happens but in order to query it i either have to wait until it archives or force an archive. tiny and some of the others give you an option to give the address of a syslog server. the one server takes all messages from any host thats sending them. kiwi allows you to format the archive output in a csv format thats very flexable, you decide what fields you want and the delimiter type or it can output to an access database. ill keep you posted. if this thread doesnt get any respone ill pm you the details if you like. if any others show interest maybe ill do a tutorial on the whole thing. im really not sure of how im going to go with this. vb/delphi app to query or maybe something else. i kind of like to go with the flow on these things but ill keep you posted.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    I think I'll be more interested if the messages go to MySQL database real time and I can query the database via CGI or php on my browser real time. I have no objection to periodic csv archiving and standalone vb/delphi query application, but hey did I hear flexibility? You can also make some "technical view" vs "management view" reports.

    And yes, a tutorial would be great.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  5. #5
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I like both of your ideas, only combined. Here's what I'd do with it.

    You've got a Windows firewall that will send messages to a syslogd and you have a Windows syslogd. You want to keep this free and easy to operate and have it be flexible.

    You could use the setup as you have it planned and have task scheduler/at set-up to automatically archive the files (or kiwi if it does it itself. I have no experience with the software). I like the idea of using task scheduler/at for one reason, you can schedule several commands to run consecutively. The first would be the archive command, outputted to CSV. The second command would be a single mysql command to a mysql server. The command would be LOAD DATA, which allows you to load a CSV file into a MySQL dB. Have an IIS or Apache server with php running and design yourself a simple front-end to search, query and generate reports, or just use phpMyAdmin. However your own front-end would give you more flexibility. You could easily just use a prepackaged bundle to save yourself time... such as phpdev.

    The way that I would want to go, however, is using snort. You don't have to worry about the possibility that it may block certain things (I distrust a firewall unless I know I easily have direct access to it). Also the nice thing about going with snort, if you want to use the MySQL/PHP time line, is that you can go with EagleX (an IDS front-end with snort for Win32 and mysql/apache bundled) from Engage Security. It's a complete front-end, and it'll already connect to a mysql database and update in real time. You could just point all your instances of EagleX to your PC's mysql database. EagleX also comes with a rather cool front-end. Designed as an IDS more than anything else, but i'm sure it'd serve your purpose. Or Again you have you MySQL database you could simple design your own front-end. You could even just have a single snort rule to watch for everythign, or you could break it down and already have your specifics.

    Just an idea, something for you to play with. I've got a lot of freetime, if you go that way, I'd be quite interested in helping you develop a frontend. Good luck with your project.

    Peace,
    HT

    PS. I hope this all makes sense, it's after 4am and I was at the bar all night.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Tedob,

    Seems that (from a management perspective) you will spend quite a bit of time on this which costs X number of soft dollars. Why not make the case to management and then go out and grab a set of ISS IDS devices (or something else to your liking)?

    Do I make sense?

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    TH13: not as much time as you might think with the things im talking about. And the only time I need authorization is when I spend money. If I ask for an expensive piece of software they don’t understand id get an “I’ll think about it”. They’re shall we say rather frugal. When I first started there 5 years ago they only had five dial-up accounts. I begged and pleaded and finally got a dsl line. Started implementing this and that and today we have a T1, dsl at all remote locations to support a country wide vpn with all reporting being done with web apps on an intranet. I gotta sneak up on these guys then when they want more out of it tell them ‘well to do that ill need…’

    SQL might be a way to go down the road but im not sure if snort will give me the output im after. I rembember it outputting more like tcpdump. Actually im sure that it will but it might take too much time to get it to do what I want. I will play with it though. I downloaded it at home today but im on a dial up and cant get the input to see. But I did find out it can also output to a syslog deamon. A plus for this in my book is I can set it up on a computer at corp, compress the files I need and put it on the remote with the cmd line install of winPcap and not have to interrupt any work in progress

    Does anyone know the syntax to use in the config file for naming a remote syslogd? Their docs aren’t that great.

    HT I just might take you up on your offer you seem to have much experience in this and im looking at the products you mentioned

    thank you all very much for your input
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Member
    Join Date
    Mar 2004
    Posts
    41
    Wow, That's awsome. Actually I've never really even looked into vpns that much.
    As far how they work and configured I should give a try because there isn't much I don't know about when it comes to computers. I think that's very interesting information.
    If anybody would recommend a site where I can read about vpn's?
    That would be helpful.
    Pm me asap please.
    \"If knowledge is power. Why doesn\'t everybody read?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •