Zonelog Analyser and VisualZone for ZA

This thread is a follow-up of this thread:

http://www.wilderssecurity.com/showthread.php?t=7322

Please post your comments/questions about ZonelogAnalyser vs. VisualZone here.

 

1.
This is one of those topics that could be put in several forum-sections ( ): here in "Other Firewalls" or in "Software & Services".
Maybe it will be moved to another forum-section; then you will be notified.

2.
As with all software: use what runs best for you!

3.
At the free Tools page of the Wilders-site, in the section "firewall add-ons" you will see a short comment about both programs:
http://www.wilders.org/free_tools.htm
Maybe the remarks there might be a little bit outdated.
Please remember: the Wilders-org team are volunteers (as the team here at the forum) with so much things to do!!!

4.
I will post here a little bit (copy/paste) from both websites in the following two postings.

 

ZonelogAnalyser

http://zonelog.co.uk/

Quote:
[hr]
Overview
ZoneLog Analyser reads and displays the log file generated by ZoneLabs' ZoneAlarm and ZoneAlarm Pro (V2.1.10 and later) personal firewall, entries in the log are generated whenever an unauthorised connection is attempted to or from your PC during connection to the Internet. ZoneLog Analyser will attempt to unravel the information that is provided in the ZoneAlarm log file by giving information about the ports used and the ability to 'look up' the intruder's address details.


Features
- Imports the ZoneAlarm log into it's own database for speed of operation.
- Colour coded listing to show severity of known attacks.
- Get full, clear details about each log entry.
- Create reports on specific addresses, ports, time periods, etc.
- Resolve host names for all known IP addresses.
- Link to WHOIS websites or external applications for more detailed info on a particular address.
- Create an email message with details of an attack for reporting attackers to their ISP.
- Tag specific addresses as friend or foe.
- Threat Analysis - picks out the attacks from the noise.
- Submits logs to DShield.org
- Easy to use...

 

VisualZone

http://visualize.phenominet.com/visualzone/visualzone.htm

Quote:
[hr]
VisualZone 5.7
VisualZone is an intrusion analyser and report utility for ZoneAlarm, ZoneAlarm Plus and ZoneAlarm Pro. It displays a clear overview of all intrusion attempts and allows you to analyse the information in lots of different ways. VisualZone can perform a backtrace to try to find even more information about the intruder. You can even automate the process so that a backtrace is performed automatically when new attacks are detected. VisualZone can also submit intrusion attempts to DShield for further analysis.
Please check the list of key features below for a shortlist of the most important functions of VisualZone.
Whether simply trying to find out more or wanting to dig deeper inside the hackers mind, VisualZone is the right tool for the job. And it doesn't require any technical knowledge to get the job done.
And best of all, VisualZone is absolutely FREE !

 

Ari posted the following question:
[hr]
Hi FanJ

I have been using VisualZone. Which one would be better then ? I love VZ´s "submit intrusions to Dshield" -feature. It doesn´t submit all of them automatically though, but those intrusions only which have attacked rapidly. ( if I understood it right ?) Just one intrusion reported from here.

^Ari^

 

Hi Ari,

I have to admit that I haven't VisualZone
So I might not be the best person to answer your question...Sorry!!!

As I said: run what runs the best for you and what you like the most.

About the DShield feature:
here is a quote from the HelpFile of the latest Zonelog Analyser:

Quote:
[hr]
Tools -> DShield Submission (F4)

From the DShield.org Introduction:
"DShield.org is an attempt to collect data about cracker activity from all over the internet. This data will be cataloged and summarized. It can be used to discover trends in activity and prepare better firewall rules."

The DShield Submission form in ZoneLog will submit your log entries to DShield in the preferred format. Only new entries that have been imported since the last DShield submission will be sent or, at most, the last week's worth of data to avoid flooding the service with possibly outdated information.

You don't have to sign up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users

·   can view the firewall logs they submitted to the DShield database (for the last 30 days.)
·   can get a confirmation of their own submissions emailed to them after every submission.
·   can optionally enable 'Fightback'. We will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.
·   will not have their submissions ignored (as anonymous submissions may be in future reports)

If you have already signed up to DShield then enter your User ID on the submission form in the space provided. If you have not signed up you can either go to the DShield signup page using the Create DShield Account button on the submission form or you can submit your logs anonymously by leaving the User ID set to 0.

The Most recent entry sent shows the date and time of the last log entry submitted to DShield.

Log entries pending shows the number of log entries that will be sent on the next submission, if this is the first time you have used the function within ZoneLog the program will only include entries up to one week old, similarly if the last submission was done over one week ago then, again, ZoneLog will only submit data for the last week to avoid flooding the service with possibly outdated information.

DShield recommend that you submit your logs at least once a day but no more often than once an hour.

Target IP Obfuscation

If you wish you can obfuscate (hide) the target IP address (your IP address) within the submitted log, there are two levels of obfuscation available:

Partial: This changes the first quad of the IP address to "10", e.g. 201.103.123.231 would become 10.103.123.321

Full: This changes the target IP address to 10.0.0.1 for every entry in the log.

If you do use obfuscation then the Partial method is preferred because it still provides more information on the extent of accesses. Note that if you use either method of obfuscation then DShield will not send any 'Fightback' abuse reports on your behalf because ISPs require valid IP addresses in the reports.

Select the Preview email before sending option if you wish to view the compiled email before submitting to DShield, leave the option unchecked if you want ZoneLog to just get on and send the email straight away (this option is only available if you are using MAPI in conjunction with your email client)

Auto submit every 6 hours, when checked, will automatically submit any new log entries every 6 hours or whenever any new entries are present more than 6 hours since the last submission.

It is recommended that you make a manual submission first to ensure there are no problems with your submissions before automating them with this option.

Note about your email software:

Some email programs (Netscape and Outlook Express are common offenders) will word-wrap all lines. This causes problems with the DShield firewall log submissions processor because firewall logs are assumed to not be wordwrapped. Check your email program's configuration options to see if wordwrapping can be disabled, if not then you should use the direct SMTP method of sending the submissions, details of which can be found in Options

 

I use both programs, but I never have had anything listed in VisualZone which has always bothered me. I'm pretty well covered to prevent intrusions, but would think I would come across one every once in awhile.

bob