Author: Oleg V. Golub (---.ll.net.ua)
Date: 06-07-01 12:08
I want to offer to your attention the new product. It seems, he can
interest the managers of networks protected with ConSeal PC Firewall.
You can get it from:
http://members.digitalrice.com/hslab/Downloads/cslv2.zip
http://hslab.narod.ru/Downloads/cslv2.zip
http://www.taftplay.com/Downloads/hslab/cslv2.zip
http://hslab.chat.ru/Downloads/cslv2.zip
Details:
ConSeal Log View
1. What is NonSeal Log View
1.1 Program futures
2. System requirements
2.1 How it works
3. Working with program
3.1 Connection to the log-file
3.2 Review of the arbitrary file
3.3 Saving log-file
3.4 Program options
4.4.1 Set-up of color selection
4.4.2 Set-up of filtering of events
4.4.3 Set-up of services replacement
4.4.4 Set-up of the of attacks analyzer
1. The program is intended for the remote monitoring of events
of ConSeal PC Firewall (CSPCFW) of versions 2.x in a real time,
statistical analysis of connections and possible attacks at the
defended system. CSPCFW - excellent program, but not having even
of elementary resources of remote access to outcomes of its operation,
that creates definite disadvantages in usage. ConSeal Log View
eliminates this disadvantage and adds a number of new useful
possibilities indispensable for the managers of networks.
1.1 The program allows:
· View events CSPCFW on the remote computer in real-time mode;
· View log-files CSPCFW, saved earlier;
· Save log-files in Rich Text format;
· Apply color selection of different types of traffic;
· Apply filtering events both as traffics, and on availability of a
substring;
· Store statistics on connections through CSPCFW;
· Effect replacement of numbers of ports by names by the standard or
user defined services;
· Effect the analysis probable Trojan and other attacks, and also
attacks, defined by user.
2. The principle of operation of the program is simple - reading of the
CSPCFW log-file from the remote computer and its subsequent analysis in a real
time.
The program can do it by two ways: maiden demands the indicating of a name
of the server, on which one works CSPCFW. The program finds in the registry
local path to the log-file and reads it through UNC path
\\ SERVER_NAME\DRIVE_NAME $\FIREWALL_DIR. The second way demands the indicating of path to the directory keeping the log-file on local or a net drive.
2.1 For the operation the program require Windows NT /2000 and right of the
member of group Administrators or Domain Admins on the server with CSPCFW (on Win9x-Me was not tested for understandable reasons and can work not correctly). In case of usage of connection to the displayed directory - the rights on reading of the log-file are indispensable only. The requirement for the RAM depends on sizes of the log-file, and at files by a size 10000-15000 lines (1.5-2 M)
require about 4-5 M. It is recommended to archive and to delete the file
from the directory CSPCFW at the end of each working day for improvement of
the fast-track characteristics of the program and as a matter of
convenience of analysis. This procedure easily yields to automation. All indispensable for this purpose is in the file FireWallLogArc.zip. CSPCFW should work on Windows NT /2000 (by operation CSPCFW on Win9x-Me can work not correctly).
3. The operation with the program is simple and be intuitively clear.
Conditionally
it can be divided on some parts:
3.1 At first it is necessary to be connected to the CSPCFW log-file. For
this purpose it is necessary to enter a name of the server, on which one works CSPCFW and to click the "Connect" button, or to indicate path to the log-file, using the button "Open LogFile ". If the file already has a large size to be necessary some time for processing, then the program will proceed on real-time processing.
3.2 There is a possibility to save the file, treated by the program, in Rich
Text format with saving of color selection. For this purpose the button " Save
LogFile " will be used.
3.3 The program allows to handle and to parse files for other days. For this
purpose it is possible to use the button " Open LogFile ".
3.4 Options of the program are minimum, but in too time provide
sufficient flexibility and convenience in operation
3.4.1 The color selection allows more visually to present a traffic
distribution on types.
The program allows to select by different colors following sorts of
traffic:
· incoming allowed;
· incoming locked;
· outgoing allowed;
· outgoing locked;
The procedure of choice of colors is clear and does not demand padding
explanations.
3.4.2 Filtering of events is possible both as traffics, and on a contents in
event of a given substring. The filtering as traffics allows to filter following
events:
· incoming allowed;
· incoming locked;
· outgoing allowed;
· outgoing locked;
All types together or in any combination, filtering by OR. Besides the
filtering of traffic on a contents of given substrings (filtering by OR) is possible
.
3.4.3 The program essentially improves perception of events CSPCFW through
the mechanism of permutation of names by the standard or user defined services instead of numbers of ports. At the live mechanism of permutation in a browser instead of "dport=80" will be output " HTTP (80) ". Definition of own services - procedure simple and understandable.
3.4.4 The analytical possibilities of the program are extended at the
expense of application of the mechanism of the analysis of attacks at the defended system.
The program is capable to find out suspicious activity on definite ports.
Detection working in the network Trojan programs and other sorts of
attacks thus is possible. The user can independently define the specific type of
attack and receive the messages about this attack. The procedure of definition of
attacks is similar to the procedure of definition of services.
Regards!
Oleg V. Golub
E-mail [email protected]
WWW http://hslab.8m.com/
|
|
Forum