mnwclient

Section: User Commands (1)
Updated: $Date: 2001/12/22 21:42:54 $
Index Return to Main Contents

NAME

mnwclient - a Perl client for myNetWatchman

SYNOPSIS

mnwclient [-c resource_file] [-l kernel_log_file] [-e errors_log_file] [-i interface]

DESCRIPTION

mnwclient is a Perl client for myNetWatchman.com written totally in Perl. This script is designed to capture rejected packet information from various firewall logs and forward this attack information to http://www.mynetwatchman.com, who collects and collates attack data from registered "agents" and reports this to the respective IP's owner. myNetWatchman also provides various statistical data that is aggregated from the pool of agents, e.g. a "top ten list".

mnwclient runs as a daemon and is configurable via filter rules.

STARTING MNWCLIENT

On SysV Init systems such as Redhat:

  /etc/rc.d/init.d/mnwclient [start|stop|restart|status]

On other UNIX variants, execute install.sh to install the components into the necessary directories, and then add to your rc.local file:

  /usr/sbin/mnwclient &

OPTIONS

-c resource_file: Specifies the configuration file that mnwclient will use. If this parameter is not specified, the default file, /etc/mnwclient.rc, will be used.
-l kernel_log_file: The log file to which the firewall logs rejected packet data. If not specified, the default location is /var/log/messages.
-e errors_log_file: The log file to which mnwclient logs error and success messages. If not specified, the default location is /var/log/mnwclient.log.
-i interface: Interface that is logged. If not specified, the default is ppp0.

CONFIGURATION FILE

There is only a few sets of directives that are understood, they are as follows:

  log <string>[,<string>,...]
  errors <string>
  server <string>
  port <integer>
  proxy <string>:<integer>
  login <string>
  password <string>
  interface <string>
  chain <string>[,<string>,...]
  gmt <integer>
  retry <integer>
  interval <integer>
  dqinterval <integer>
  backoff <integer>
  maxbackoff <integer>
  fwdb <string>
  fwignore <address> netmask <netmask>
  addfw <string>
  delfw <string>
  addfwint <integer>
  delfwint <integer>
  usesql <string> [<database> <db_login> <db_password>]
  debug [<integer>]
  quiet
  test
  filter { ... }

Directives:

log: Full pathname where the system logfile is located, you may specify multiple log sources by using the comma as a delimiter. (default: /var/log/messages)
errors: Full pathname where to log client errors. (default: /var/log/mnwclient.log)
server: Web server to contact to send HTTP data. (default: www.mynetwatchman.com)
port: TCP port of web server. (default: 80)
proxy: If you are using a proxy server then specify it in the format of server:port. (ex: fcs00mia.mia.bellsouth.net:8080)
login: Your myNetWatchman login (required).
password: Your myNetWatchman password (required).
interface: Interface to capture data and forward attack information. This is normally your Internet bound interface (WAN), ppp0, eth0, etc. (default: ppp0)
chain: Name of chain (in ipchains and others) that is your input rulesets. This is normally the input ruleset. This would be the log prefix for iptables. You may specify multiple chains by delimiting them with commas, this is useful for the IOS format which may have multiple input rulesets. (default: input)
gmt: Correction offset in hours if GMT is not properly calculated. This shouldn't be necessary, but may be needed in some cases.
retry: Attempts to submit report before giving up. This only applies toward HTTP errors reported, socket errors are retried until successful.
interval: Seconds between scans of firewall logfile. (default: 60 seconds)
dqinterval: This is the dequeue interval. It is the seconds between uploads, or dequeues to server. (default: 1 second)
backoff: Back off factor, starts multiplying dqinterval by this value until it reaches a maximum backoff value. Upon a successful upload the 'backed off' value resets to the dequeue interval. (default: 3)
maxbackoff: Maximum backoff value in seconds, the dequeue interval will never exceed this amount when it is 'backed off'. (default: 600 seconds)
fwdb: Location and filename to store the firewall database. (default: /etc/mnwclient)
fwignore/netmask: Allows you to add entries that will not be allowed to inserted into the firewall, you may specify this directive multiple times.
addfw: Command to be executed when an entry is to be added to the firewall. Use $SOURCE$ in command, this variable will be replaced by the attacker address that is downloaded.
delfw: Command to be executed when an entry is to be deleted from the firewall. Use $SOURCE$ in command.
addfwint: Interval in seconds when to refresh the attacker list.
delfwint: Interval in seconds to expire old attackers.
usesql: Invokes usage of SQL database insert code. Current valid parameters are pgsql, mysql, msql, and oracle. Only pgsql and mysql has been tested. Additional parameters may be the name of the database, followed by the database login, and the database password. Please see the contrib directory to see what the database table is.
debug: If present, enables debugging output for actual web transaction. You may specify different levels of debugging information.
quiet: If present, quiets warning messages.
test: Simulates everything, but doesn't actually do any uploading.
filter: Filter rulesets, see 'Filter' directive below.

Filter Directive:

The filter directive contains a subset of directives that are only allowed inside this directive. This directive will allow you to filter out the information from the log file. If you didn't want to report icmp that are of port 0, this is where you would do it. You must specify this directive as follows:

    filter {
       .
       .
       .
    }

The directives that are allowed between the braces are as follows:

    source <address> netmask <netmask>
    target <address> netmask <netmask>
    target <address> netmask <netmask> xchg <address>
    port <integer>                    (deprecated, use target port)
    port <integer> proto <type>       (deprecated, use target port)
    source port <integer>
    source port <integer> proto <type>
    target port <integer>
    target port <integer> proto <type>
    proto <type>

source/netmask: Both must be specified, in the given format, basically you specify a source address and then a netmask, it must be specified in 4 parts, seperated by decimals. The normal format.
target/netmask: Both must be specified, in the given format, basically you specify a target address and then a netmask, it must be specified in 4 parts, seperated by decimals. The normal format.
target/netmask/xchg: All parameters must be specified, in the given format, basically you specify a target address, a netmask, and then an address to exchange it with, addresses must be specified in 4 parts, seperated by decimals. This will allow you to report a different target address than the actual one that was hit, this should only be used for cases where the firewall incorrectly reports the target address.
port: Still works, but deprecated. See target port.
port/proto: Still works, but deprecated. See target port/proto.
source port: Source port number that is filtered.
source port/proto: Source port and protocol that is filtered.
target port: Target port number that is filtered.
target port/proto: Target port and protocol that is filtered.
proto: Protocol that is filtered.

SAMPLE CONFIGURATION

One possible mnwclient.rc:

  log /var/adm/log/syslog
  login bob@null.net
  password sekret
  interface slip0
  filter {
    source 10.0.0.0 netmask 255.0.0.0
    source 211.0.0.0 netmask 255.0.0.0
    source 192.168.0.0 netmask 255.255.0.0
    target 192.168.0.0 netmask 255.255.0.0
    target 10.0.0.0 netmask 255.0.0.0
    source port 25 proto tcp
    target port 137
    target port 21 proto tcp
    target port 113 proto tcp
    proto icmp
  }

ENVIRONMENT VARIABLES

TZ: Used to compute times relative to Coordinated Universal Time (UTC), formerly known as GMT. You may need to set this variable according to your local time zone if you find that you are reporting timestamps incorrectly. Alternatively you may used the 'gmt' directive to offset the timestamps.

FILES

/usr/sbin/mnwclient
/etc/mnwclient.rc
/etc/rc.d/init.d/mnwclient

SIGNALS

TERM: Causes the client to exit and save firewall attack lists.
HUP: Causes the client to exit and unload firewall list from the firewall.

SUPPORTED FIREWALL LOGS

ipchains: Linux 2.2.x kernel firewall
iptables: Linux 2.4.x kernel firewall
ipfw: FreeBSD kernel firewall
ipfilter: NetBSD ipfilter firewall. Requires ipmon to be running, you must add to your /etc/rc.conf file the following line:

ipmon=YES ipmon_flags="-s"

PortSentry: Psionic PortSentry port scanner, works in conjunction with various UNIX firewalls, such as ipchains and ipfw.
Sonic Wall: Sonic Wall, hardware firewall (and more?). These are pretty much fully supported, but need more sample logs with m=32 (attacks).
Cisco IOS: Cisco IOS format, reported via syslog.
Zyxel Prestige 314/Netgear RT314: Zyxel/Netgear log format, reported via syslog. Netgear is apparently a Zyxel but branded with Netgear's name. This format should also include the 311-314 series for both brand names.
Cisco Secure PIX Firewall: Logging format used by Cisco Secure PIX firewalls via syslog.
Snort CSV log format: Supports Snort IDS by using the CSV logging plugin, with the following parameters:

# csv: logs packets in csv format
# -------------------------------
# Arguments are output filename, followed by field names
#
output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode

: Modified Snort CSV log format This format supports a modified CSV logging plugin, which requires a patch and recompile of the snort package. After rebuilding and installing the modified snort then you should use the CSV logging plugin with the following parameters:

# csv: logs packets in csv format
# -------------------------------
# Arguments are output filename, followed by field names
#
output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode,sig_generator,sig_id,sig_rev,ref_system,ref_id

The patches are available at http://glycerine.dyndns.org/linux/snort

BUGS

Some users may experience a hang in the client where it will no longer upload attack data, this is caused by a buggy IO module for Perl, it is recommended that you update your IO module to 1.20 or later. You can get the latest version from CPAN, goto http://www.cpan.org/modules/by-module/IO and download the latest IO package. It should be named IO-1.20.tar.gz. If you happen to discover a bug then please run the client with the following command:

export PERLDB_OPTS="nonstop autotrace frame=2 lineinfo=mnwclient.debug"; perl -d mnwclient &

And send the client revision, mnwclient.debug file, and any log files it was parsing when the client died to the author. The above command will generate a log file named mnwclient.debug in your current working directory, periodically monitor the size of this file as it will grow very fast. If the bug hasn't occurred during the time frame captured by the debug log you may 'cp /dev/null mnwclient.debug' to null it out.

NOTES

If you need more information on firewalls and using ipchains then refer to http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html, or various on-line references.

myNetWatchman is designed for those with full-time Internet connections, such as cable modem or DSL. It is also necessary that all significant unwanted connection attempts be logged. See http://www.mynetwatchman.com for requirements, registration, and other details.

AUTHOR

Chad Wagner <wagnerch@bellsouth.net>

This document was created by man2html, using the manual pages.
Time: 23:46:06 GMT, April 09, 2002