mnwclient is a Perl client for myNetWatchman.com written totally in Perl. This script is designed to capture rejected packet information from various firewall logs and forward this attack information to http://www.mynetwatchman.com, who collects and collates attack data from registered "agents" and reports this to the respective IP's owner. myNetWatchman also provides various statistical data that is aggregated from the pool of agents, e.g. a "top ten list".
mnwclient runs as a daemon and is configurable via filter rules.
/etc/rc.d/init.d/mnwclient [start|stop|restart|status]On other UNIX variants, execute install.sh to install the components into the necessary directories, and then add to your rc.local file:
/usr/sbin/mnwclient &
log <string>[,<string>,...] errors <string> server <string> port <integer> proxy <string>:<integer> login <string> password <string> interface <string> chain <string>[,<string>,...] gmt <integer> retry <integer> interval <integer> dqinterval <integer> backoff <integer> maxbackoff <integer> fwdb <string> fwignore <address> netmask <netmask> addfw <string> delfw <string> addfwint <integer> delfwint <integer> usesql <string> [<database> <db_login> <db_password>] debug [<integer>] quiet test filter { ... }
Directives:
The filter directive contains a subset of directives that are only allowed inside this directive. This directive will allow you to filter out the information from the log file. If you didn't want to report icmp that are of port 0, this is where you would do it. You must specify this directive as follows:
filter { . . . }
The directives that are allowed between the braces are as follows:
source <address> netmask <netmask> target <address> netmask <netmask> target <address> netmask <netmask> xchg <address> port <integer> (deprecated, use target port) port <integer> proto <type> (deprecated, use target port) source port <integer> source port <integer> proto <type> target port <integer> target port <integer> proto <type> proto <type>
One possible mnwclient.rc:
log /var/adm/log/syslog login bob@null.net password sekret interface slip0 filter { source 10.0.0.0 netmask 255.0.0.0 source 211.0.0.0 netmask 255.0.0.0 source 192.168.0.0 netmask 255.255.0.0 target 192.168.0.0 netmask 255.255.0.0 target 10.0.0.0 netmask 255.0.0.0 source port 25 proto tcp target port 137 target port 21 proto tcp target port 113 proto tcp proto icmp }
ipmon=YES ipmon_flags="-s"
# csv: logs packets in csv format # ------------------------------- # Arguments are output filename, followed by field names # output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode
# csv: logs packets in csv format # ------------------------------- # Arguments are output filename, followed by field names # output csv: /var/log/snort/alert.csv proto,timestamp,src,srcport,dst,dstport,icmptype,icmpcode,sig_generator,sig_id,sig_rev,ref_system,ref_idThe patches are available at http://glycerine.dyndns.org/linux/snort
export PERLDB_OPTS="nonstop autotrace frame=2 lineinfo=mnwclient.debug"; perl -d mnwclient &
And send the client revision, mnwclient.debug file, and any log files it was parsing when the client died to the author. The above command will generate a log file named mnwclient.debug in your current working directory, periodically monitor the size of this file as it will grow very fast. If the bug hasn't occurred during the time frame captured by the debug log you may 'cp /dev/null mnwclient.debug' to null it out.
myNetWatchman is designed for those with full-time Internet connections, such as cable modem or DSL. It is also necessary that all significant unwanted connection attempts be logged. See http://www.mynetwatchman.com for requirements, registration, and other details.