Firewall - Amaranten :: Knowledge Base :; #1009

The "Forensic" Log Utilities explained, and how to add your own utilities

This Knowledge Base article applies to:
Amaranten Firewall

You may have noticed that as of v8.0, you can right-click log entries in the log analyzer and do pings, traceroute, etc..

Well, you can set up your own tools! Take a look in:
C:\Program Files\Amaranten\Firewall Manager 8\Log Utilities

You'll find a couple of .exe files, and a bunch of .def files. Edit these .def files in e.g. notepad, and you'll see things like:

  "Ping Dest.def":
     CMD ping.exe $destip
     description
     Pings the specified host.

  "Whois Dest.def":
     CMD whois.exe -p $HTTP_PROXY $destip
     HTTP TRUE
     description
     Looks up "whois" information for the host/network 
     in the ARIN/RIPE/APNIC etc registries.

Directives in the .def files

	`CMD`	The (console) command to execute.
	`#`	Comment line (ignored).
	`HTTP TRUE`	The app uses HTTP, so if you're using a proxy that wants authentication, the mgr should pop up a user/passwd dialog.
	`DESCRIPTION`	The rest of the file is a description of the tool.
	`NOOUTPUT TRUE`	The tool won't output anything meaningful through standard output, so don't show the "result" dialog (use if you're starting GUI apps).

Variables in the CMD command line

   $destip
   $srcip
   $destport
   $srcport

Example: destination port lookup on isc.incidents.org

Here's one use I personally like a lot. The Internet Storm Center, isc.incidents.org, keeps track of portscans seen on tens of
thousands of firewalls, so if you're seeing a probe, you can quickly find out if you're being singled out, or if you were "just" hit by an automated scan sweep.

Create a "ISC Dest Port Lookup.def" file, containing:

  CMD cmd /c start http://isc.incidents.org/port_details.html?port=$destport
  NOOUTPUT TRUE
  DESCRIPTION
  Lookup the destination port on isc.incidents.org
  (opens a seprate web browser window)

If you've got your log analyzer window open already, you'll need to close it and reopen it -- it scans the .def files when it is opened.

Now, if you're wondering about a destination port in your logs, you can just right-click the line and select "Log Utilities->ISC
Dest Port Lookup" and quickly see graphs of current scans, registered uses for the port, and lots of other useful
information.

Proxy settings for tools that use HTTP

Note: This does NOT apply to browsers; browsers keep their own proxy settings and do not need help from the firewall
manager.

If the app uses outbound HTTP connections , and the firewall manager is set to use an HTTP proxy, the following variables
are also available in the command line AND as environment variables:

   HTTP_PROXY         e.g. "http://uname:pwd@proxy.myorg.com:8080"
   HTTP_PROXY_SIMPLE  e.g. "proxy.myorg.com:8080"
   HTTP_PROXY_HOST    e.g. "proxy.myorg.com"
   HTTP_PROXY_PORT    e.g. "8080"
   PROXY_USER         e.g. "uname"
   PROXY_PASS         e.g. "pwd"
   USE_PROXY          e.g. "on"

If the proxy doesn't use authentication, HTTP_PROXY simply becomes e.g. "http://proxy.myorg.com:8080".

This is completely compatible with e.g. "wget" and other apps ported from *nix that (can) use HTTP proxies.