I have written a small perl script, fwconwatch.pl to monitor the status of the FW-1 connection table. When the table reaches a predefined limit, the script sends an alert and emails a listing of the top connection source addresses. The script also monitors CPU utilization as I have found this to be another good indicator of abnormal activity. Once the script has been configured and tested, it can be added to the /etc/init.d/firewall1 script: #!/bin/sh # FW-1 Start if [ -f /etc/fw/bin/fwstart ]; then FWDIR=/etc/fw export FWDIR /etc/fw/bin/fwstart /etc/fw/bin/fwconwatch.pl& fi # FW-1 END fwconwatch can be found here: http://www.sabernet.net/software/ Lance Spitzner's fwtable.pl script is used to list the top connection sources which can be found here: http://www.enteract.com/~lspitz/fwtable.html Regards, Jason
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:54:36 PDT