[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Alerts with alertf
Nice writeup and it helps confirm my hate of alertf. It needs the smarts to not
only look at the rule but also what firewall sent that rule; and why o why does
it place the alertf.log file in /usr/lpp/FireWall-1.fw/4.0.3.0 instead of
/usr/lpp/FireWall-1/log!!!
Lance Spitzner <lance@stan.ksni.net> on 08/31/99 10:24:09 PM
Please respond to Lance Spitzner <lance@stan.ksni.net>
To: FW1 List <fw-1-mailinglist@lists.us.checkpoint.com>
cc:
Subject: [FW1] Alerts with alertf
I've noticed some postings about "alertf", found in
$FWDIR/bin. As it is not the best documented command,
I decided to play around with it. Low and behold, its
pretty handy. Actually, CheckPoint does an excellent
job of describing how to use this, you just need to
crack the code on the docs. For your edification on
4.0:
mozart #/etc/fw/bin/alertf -h
The following program can be used to threshold the activity of an
alert in FireWall-1. The syntax of the command is:
alertf N-seconds M-alerts alert-command arg#1 arg#2 arg#3 ....
for example:
alertf 60 4 alert
will run the normal alert script if there are 4 or more alerts in
the last 60 seconds.
The program generate a log of all the alerts in the last N seconds in:
./alertf.log
In order to use alertf, insert it before the alert command in the
"Properties" panel:
1) run fwui (or GUI client)
2) Open "Properties..."
3) From the "Categories" box select "Logging and Alerting"
4) Decide which alert type you want to modify. For example
"User Defined Alert Command".
5) Replace the "alert" string with "alertf 20 3 alert"
(this is just an example.)
6) Press "Apply"
7) Define a rule which you want to track and in "Track" box put
"UserDefined" alert (the alert type should match step 5)
for example:
Any | Any | telnet | reject | UserDefined | Gateways
8) Test the rule: for example do telnet to the firewall.
9) All your telnet attempts will be logged but an audible alert
will be generated only if you will do 3 or more alerts in 20
seconds.
Technical notes:
1) If you are testing alertf manually you have to remember that
alertf accept a single line (of alert) each time it is run and
therefore you should call the alertf repeatedly in order to see
it working.
An example of a manual test to alertf will be:
echo rule1 | alertf 10 3 echo "Passed"
You will have to enter the above line at least 3 times in 10
seconds in order to see the message "Passed"
2) A new alert is decided to be identical to an old alert by
comparing the rule number. It is therefore possible to pass the
threshold by having several different connections if they all
have passed through the same rule in the firewall's rule base.
The rule number is found by searching for the last appearance
of the string "rule" in the incoming alert message and then
taken the number which is following it. If no such string is
found then the rule number 0 is assumed
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================