M0n0的日志分析系统WallWatcher

心想事成

WallWatcher 运行于微软Windows 98 以上系统.  它具有从路由器和防火墙收集, 显示,分析日志信息的功能。支持以下路由器型号：2Wire, 3Com, Airlink, Buffalo, Cisco, D-Link, Draytek, Gnatbox, Level One, Linksys, Lucent, m0n0wall, Netgear, Netscreen, ParkerVision, Smoothwall, Sonicwall, Speedstream, Symantec, US Robotics, WatchGuard, Westell, Xincom, and ZyXEL.


介绍

提供筛选, 实时报警, emailed 报警, 历史记录分析, 摘要, 图表
筛选你选择的时间段内的日志，并显示、分析，显示图表
实时声音报警当有可疑的入侵的时候
历史记录分析帮助你可以查到近来受到的入侵
简单的安装和反安装

new users: 下载两个 ZIP 文件:
WallWatcher
and
its library
,
解压后运行  SETUP, 然后 WallWatcher就会运行了
在m0n0或者coyote中，将日志服务器设置为安装WallWatcher的机器就行了。

截图



(Some columns and data are Router model-dependent)

截图



The green "bump" was the "SQL Slammer" worm attack in late January, 2003

You can select other time periods, other chart appearances, and other information

SAMPLE BANDWIDTH SUMMARY



(Availability of bandwidth usage information is router-dependent)

WALLWATCHER SUPPORTS THESE ROUTERS

    (and similar routers from the same manufacturers):

  
2Wire
1000 HG, 1800HW, 1000SW
3Com
Office Connect
AirLink
AR410W
Buffalo
WBR-G54
Cisco
831, SOHO 91, PIX 501
D-Link
DFL-80, DFL-200, DFL-300, DFL-500,
DGL-4300, DI-604, DI-704UP, DI-804HV
Draytek
Vigor 2600, 2900
Gnatbox
500
IPCop
(IPTables-compatible)
IPTables
many routers use variations of this standard
Level One
FBR-1412TX, FBR-1418TX, WBR-3402B
Linksys
BEF-series, WAG54G (ver 1 and ver 2), WRK54G,
RV/WRV-series, WRT54GC, WRT54GP2;
WRT54G (with Sveasoft or HyperWRT Firmware)
Lucent
SuperPipe 155
M0n0wall
version 1.1
Netgear
DG834GB, FR114P, FVS318, FVS328, FVS338, FVX538,
FWAG114, FWG114P, RT314
Netscreen
5GT, 5XT
ParkerVision
WR1500
Smoothwall
version 2.0
Sonicwall
TZ170
Speedstream
EN5100,EN5861
Symantec
200R
US Robotics
9106 (IPTables-compatible)
Watchguard
Firebox SOHO 6
Westell
Versalink 327W
Xincom
DPG 502
ZyXEL
650H, 660HW, 2606HW, P334,
Prestige 650H-E7, Prestige 653H1-11,
ZyWall 2, ZyWall 5
SysLog
(generic)
if your router is not on this list, try IPTables.
If that doesn't work, use 'SysLog (generic)'
temporarily, until fuller support can be added.

ADDING SUPPORT FOR OTHER ROUTERS

    WallWatcher can be extended to support most routers that send log records to a local computer port, usually 514 (SysLog) or 162 (SNMPTrap).  If your router can do that, but is not already supported, you can collect some sample records with this
downloadable Log Capture tool
.  Review the brief guidelines in its "Readme", run the included program, and send the results to
[url=mailto:%20routers (at) wallwatcher.com]routers (at) wallwatcher.com[/url]
.  The Capture program is not a log viewer or analyzer; it just collects information the author will need to add WallWatcher support for your router.  (No promises, but user-supplied sample data was the basis for supporting most of the 50+ routers on this list.)
  

PRICING

    WallWatcher is not "Freeware", but the current price is $0.00.  If this ever changes, it will not be retroactive and will not affect whatever version you've been using.

  

ADD-ON's


GETLOG

can show you what Linksys BEF-series Routers logged while your computer was turned off (if the Router was still on).  Its
documentation
includes a link to download the program.  It has basic support for the BEFSR-series, extended support for the BEFSX41, BEFVP41, and user-contributed extended support for the WAG54G (Version 1).  GetLog does not support other categories or brands of routers.
  

WW2DSHIELD

helps you submit log reports to DSHIELD.ORG.  Its
documentation
includes a link to download the program.
BETAS

miniport

谢谢！已经用上了，学习中

张浩峰

如果有汉化版就好了。

sweet191

QUOTE(张浩峰 @ Jul 20 2005, 10:38 AM)
      

如果有汉化版就好了。
[right][snapback]54164[/snapback][/right]




搜索了半天，找不到下载的地方！
0day好像有破解的 ，就是找不到下载的地方！

samenlia

QUOTE(想得太美 @ Jul 18 2005, 06:36 PM)

PRICING

    WallWatcher is not "Freeware", but the current price is $0.00.  If this ever changes, it will not be retroactive and will not affect whatever version you've been using.



现在应该是不收费的，不用找破解吧。

张浩峰

QUOTE(samenlia @ Aug 1 2005, 04:44 PM)
QUOTE(想得太美 @ Jul 18 2005, 06:36 PM)

PRICING

    WallWatcher is not "Freeware", but the current price is $0.00.  If this ever changes, it will not be retroactive and will not affect whatever version you've been using.



现在应该是不收费的，不用找破解吧。
[right][snapback]55044[/snapback][/right]




有汉化？

sweet191

http://www.sonic.net/wallwatcher/
这里有下载的连接

sweet191

m0n0wall 1.2b9
和WallWatcher3.23

不能正常工作！

Monomon检测流量的没有问题！

这里应该有答案，还没有来的及研究：
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
To:  "WallWatcher Support"  
From:  "Quark IT - Hilton Travis"  
Subject:  RE: WallWatcher & m0n0wall
Date:  Sun, 13 Feb 2005 13:05:44 +1000

Hi Dan,

I've forwarded this also to the monowall-dev list to see if someone on
there can provide better answers than I can - I'm not totally clued up
on all aspects of m0n0wall, and totally clueless on others.  

I'll answer your laso post inline...

--

Regards,

Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/  -----Original Message-----
> From: WallWatcher Support [mailto:support at wallwatcher dot com]
> Sent: Sunday, 13 February 2005 11:46
>
> Hi Hilton,
>
> Your m0n0wall records are different in several respects from the
> other samples I've seen:
>
>     1. the others tended to occur in pairs: LAN-to-Router, then
> Router-to-Remote.  WW reports the first one and ignores the
> second one.  I didn't see any such pairs in your samples.  It
> doesn't affect anything, just a difference.

This may be a result of my running 1.2b3 and your previous users running
version 1.1 of m0n0wall.  I hope someone on the m0n0wall list can
further comment on this.

>     2. some of the "flags" that indicate what was done with the
> packets are different in your samples than in the others.  For
> example, I don't know what your router did with the three
> packets reported by these two log records:
>
>    (1)
> Feb 13 00:08:25 ipmon[77]: 00:08:25.040616 ng0 @0:21 b
> 194.177.179.75,57347 -> 220.240.217.84,135 PR tcp len 20 48 -S IN
>
>    (2)
> Feb 13 00:08:33 ipmon[77]: 00:08:33.866907 ng0 @0:21 b
> 222.88.173.5,12056 -> 220.240.217.84,1026 PR udp len 20 668 IN
>
>    (3)
> Feb 13 00:07:40 ipmon[77]: 00:07:40.717625 sis0 @0:19 b
> 192.168.69.120,2753 -> 64.69.76.10,80 PR tcp len 20 40 -AF IN

Again, this may be because of later versions of the firewalling apps in
m0n0wall 1.2b3 compared to the 1.1 release, and again I hope someone
with more clue than I can help out here.

>     The first two came IN from the 'net.  The flag is "-S".  
> Based on previous samples, I believe the first one was dropped,
> and WW currently reports it that way: as an Inbound.

It was - according to the m0n0wall webGUI.  As it should have been.

>     The second one contains neither your real IP address nor any
> of your LAN addresses, but the "Length" fields indicate content
> beyond just headers.  There are no flags, which never occurred
> in other people's samples.  WW currently reports it as a dropped
> Inbound.

It, too, was and should have been dropped.

>     The third one is an Outbound from a LAN station to a Remote
> IP. The flags are "-AF", and I don't know what they mean.  WW
> currently reports it as a blocked Outbound.

That's weird - it appears to be a reguler outbound packet to a web
server, so I have no idea why this was blocked.  I have also confirmed
that I have no firewall rules with this IP, and no firewall rules
blocking any traffic to any external web servers.  Unfortunately, due to
the limited logging capacity of m0n0wall, I cannot confirm what m0n0wall
saw this as.  

>     Last year, I did review some m0n0wall documentation, but its
> description of the status flags didn't necessary match the data
> samples.  (They never do, regardless of the router.)  So, if you
> know what the flags actually mean, or what the router actually
> did with such records, please let me know.

Anyone got some info on this?  It'd be nice if the latest online
documentation matched the actual packages.  The issue - again - will be
if there's a big difference between m0n0wall 1 1 and m0n0wall 1.2b3.

>     Another point: other people's samples had a "blocked/passed"
> indicator; all of yours contain only a "blocked" indicator: the
> stand-alone letter "b".  ("p" would be "passed", of course).

Maybe my m0n0wall isn't reporting "passed" packets, or maybe it is just
a little constipated?    I have no issues browsing or anything else,
and don't otherwise notice blocked outbound traffic issues.

>     Combining all of these differences, WW finds no "passed
> Outbounds" (green "O"s) in your RAW files.  Since I'm sure you
> did some successful browsing and/or email checking while those
> samples were being collected, this means one of two things: the
> router is not reporting "passed" packets, or WW is not
> recognizing them.  (There aren't any "Passed Inbounds" either,
> but that's normal unless you're running a Server.)

We have an SMTP server here, so should be definitely seeing passed
:25/TCP traffic.  Unless,  of course, m0n0wall isn't reporting these to
WW.

>     Can you let me know which is the case?  If there are
> "passed Outbounds", can you tell me what their flags or other
> characteristics are?
>
> Regards,
> Dan Tseng
> http://www.wallwatcher.com
>
>
> ----- Original Message -----
> From: "Quark IT - Hilton Travis"
> Sent: Friday, February 11, 2005 11:58 PM
>
>
> > Hi Dan,
> >
> > Thanks for this.  It now seems to be consistent, the settings
> > I made originally have not been changed, but it is reporting
> > the traffic going in the wrong direction - it is seeing the
> > m0n0wall LAN as the WAN and its WAN as its LAN.  So, its
> > consistent, but now 100% wrong compared to the m0n0wall webGUI
> > interface, that is!  
> >
> > --
> >
> > Regards,
> >
> > Hilton Travis                          Phone: +61 (0)7 3344 3889
> > (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> > Manager, Quark IT                      http://www.quarkit.com.au
> >          Quark AudioVisual             http://www.quarkav.net
> >
> > http://www.threatcode.com/  > into writing code that is acceptable for use on today's networks
> >
> > War doesn't determine who is right.  War determines who is left.
> >
> > > -----Original Message-----
> > > From: WallWatcher Support [mailto:support at wallwatcher dot com]
> > > Sent: Saturday, 12 February 2005 17:48
> > >
> > > Hi Hilton,
> > >
> > > Fixed: http://www.wallwatcher.com/WW.zip  (3.2.1501)
> > >
> > > 1. download the link to the WW folder
> > > 2. stop ww if it's running
> > > 3. unzip the download
> > > 4. restart WW
> > >
> > > Should be OK immediately, but check the Router menu to make
> > > sure the values are still correct.
> > >
> > > Please let me know one way or the other whether all is OK
> > > now.
> > >
> > > Regards,
> > > Dan Tseng
> > >
> > >
> > > ----- Original Message -----
> > > From: "Quark IT - Hilton Travis"
> > > Sent: Friday, February 11, 2005 11:00 PM
> > >
> > >
> > > Hi Dan,
> > >
> > > I'm running 3.2.14(11) and the router's LAN address is
> > > configured correctly.  Please find attached the files you
> > > requested.  I hope this helps locate and fix this bug.
> > >
> > > --
> > >
> > > Regards,
> > >
> > > Hilton Travis                          Phone: +61 (0)7 3344 3889
> > > (Brisbane, Australia)                  Phone: +61 (0)419 792 394
> > > Manager, Quark IT                      http://www.quarkit.com.au
> > >          Quark AudioVisual             http://www.quarkav.net
> > >
> > > http://www.threatcode.com/  > > into writing code that is acceptable for use on today's networks
> > >
> > > War doesn't determine who is right.  War determines who is left.
> > >
> > > > -----Original Message-----
> > > > From: WallWatcher Support [mailto:support at wallwatcher dot com]
> > > > Sent: Saturday, 12 February 2005 16:53
> > > >
> > > > Hi Hilton,
> > > >
> > > > It does look as though WW is sometimes reversing the local
> > > > and remote information. If you are running WW version
> > > > 3.2.13 or higher, please make sure the router's LAN
> > > > address on the ROUTER menu is correct, and change it if
> > > > it's wrong.
> > > >
> > > > If you're running an earlier version of WW, please
> > > > download the current version, stop WW if it's running,
> > > > unzip the download, restart WW (no SETUP needed), and
> > > > check that LAN address.
> > > >
> > > > If the LAN address is correct and the interfaces are
> > > > identified correctly, but WW continues to reverse the
> > > > information, please collect some data to send me:
> > > >
> > > > 1. on WW's SPECIAL menu, turn on 'Capture', then click OK.
> > > > 2. let WW run until you've seen some good and some bad
> > > > entries in the Events list.
> > > > 3. turn off 'Capture' and click OK
> > > > 4. send me (zipped, if possible):
> > > >
> > > >    * WallWatcher.Ini
> > > >    * RAW yyyy-mm-dd.DAT  (the date you do this; the RAW
> > > >      file will be in the main WW folder, not in the
> > > >      DATLOGS folder)
> > > >
> > > > Those files will let me recreate the error here and,
> > > > hopefully, correct it.
> > > >
> > > > Regards,
> > > > Dan Tseng
> > > > http://www.wallwatcher.com
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Quark IT - Hilton Travis"
> > > > To:
> > > > Sent: Friday, February 11, 2005 9:53 PM
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I just came across WallWatcher when investigating software
> > > > options for Linksys WRT54G/GS WiFi routers.  It looks like
> > > > it could be quite useful as I have a m0n0wall firewall
> > > > here (version 1.2b3) on a Soekris net4501 embedded PC.  I
> > > > like the functionality, and the fact that this is nice,
> > > > small, and runs on Windows is a big bonus!  
> > > >
> > > > The one thing I have noted is that with my net4501 which
> > > > has 3 SIS LAN ports on board (sis0, sis1, sis2) is that no
> > > > matter what I put in as the LAN and WAN NICs, the display
> > > > that WallWatcher gives does not match with the log listing
> > > > that m0n0wall shows.  By default, sis0 is LAN, sis1 is
> > > > WAN and sis2 is DMZ - and this is definitely how my
> > > > net4501 is configured.  I double-checked the cabling and
> > > > the cabling matches this.  As does the "Interfaces" page
> > > > in the m0n0wall configuration.  I currently have an IP and
> > > > network assigned to the DMZ (sis2) but there is nothing
> > > > connected to this NIC.
> > > >
> > > > I have changed the interface assignment back to default,
> > > > cleared the WallWatcher display, and here's a screen
> > > > capture of the results. My m0n0wall's external IP is
> > > > 220.240.217.84 and its internal interface is assigned
> > > > 192.168.69.254/24 - the machine I'm running WallWatcher
> > > > on is 192.168.69.120/24.  Below this is a capture of the
> > > > same entries in the m0n0wall "Firewall" log, and below
> > > > that is a capture of the Interface assignment in m0n0wall.
> > > >
> > > > So, right now, I'm kinda stumped as to where to go from
> > > > here. I've tried using "sis2" in both WallWatcher fields
> > > > - basically tried all combinations - and haven't found a
> > > > combination that matches the output from m0n0wall.  Any
> > > > ideas, smacks in the side of the head, or whatever will be
> > > > appreciated.  
> > > >
> > > > - HiltonT

m0n0

下载不了，图片也看不见

sweet191

是我太笨了，在ana的帮助下，这样设置就成功了！
??????在m0n0上??????
Diagnostics
->
logs
->
Settings
->
Enable syslog'ing to remote syslog server
打钩
->
Remote syslog server
->
添你的ip地址
??????在WallWatcher里??????
Options
->
Router
->
设置一下router interface name
如果是pppoe 接入我们的WAN就是ng0

8858

本地ip都是wan口的没什么意义，能不能让他显示内网机器的ip那

wuxj

SAMPLE BANDWIDTH SUMMARY
是咋用的，我一启动就报错

srsman

smoothwall 3.0试用成功

pc_fan

SAMPLE BANDWIDTH SUMMARY启动时报告找不到目录,怎办?
qq: 260118243

2long

好东西呀。除了这个之处，还有什么有相同功能的呀？