Re: WebTrends Alternative

["daN." <dan () nesmail com>]

At 08:08 PM 11/24/99 -0500, Siglite wrote:
> That's what I was thinking as well.  Push from the firewall out to an SQL box
> somewhere.  Where would be dictated by security / risk / policy.  The only
way I
> can think of to do this, is a C executable run by cron (or 'at' in the
case of
> NT) that would launch on user-defined intervals and push the data out.
The fun
> part is writing the executable that will open the sockets to the SQL boxes
and
> push the data across in the proper formats.   Not being a big C guru, this
would
> probably take me about half of forever to accomplish.  My forte would be more
> towards the front end of things.  Creating the reporting in ASP or CGI on the
> webserver.
        Why not send it across your DMZ with scp(an ssh file transfer protocol)? I
run a cron job every hour that push firewall and My Intrusion detection
system logs to a central Log repository and analysis station.  You
definately want to push the data out at regular intervals if you are moving
it through the DMZ, otherwise an attentive hacker can tell what your rule
sets are by when you send and don't send data. Run an scp transfer in a
cron job every hour, then another cron job at the other end that puts the
data into your SQL database (I use mySQL, but I have only a couple hundered
thousand records) this way you don't need a second NIC (which is a pain if
you have a dozen firewalls at diffrent locations) and you don't need and
big or complexe coded solution.

        Check out the script fetchem.pl from the Shadow Tarball for a greate
example of moving logs from one machine to another (if you haven't looked
at shadow yet as a secondary IDS you should it's a greate and free set of
scripts for looking at IP Headers).


Dan Steele
Network Administrator
WestNet Management Corp.