Description:
A client application that runs as a local service. It collates and analyzes local firewall logs (currently supporting Windows Firewall, ZoneLabs ZoneAlarm and Integrity Client, and ISS Black Ice Protection). It attempts to apply advanced security logic to the logs, correlates the allowed and disallowed network packets flowing to the machine. It then scores these inbound flows with a numeric number from 0 to AVLN (a very large number). Based on these scores, it is theoretically possible to determine whether the client is being passively scanned or actively attacked. Output is in the form of a useful html page which automatically refreshes, has basic statistical diagrams, and allows users to do a detailed lookup of potential evil doer's machines. This application is a proof of concept for a greater overall project. The larger project would take these client based metrics, combine them centrally and provide administrators with an overarching viewpoint of the network. The full package would allow proactive BL (blacklisting) of attackers, WL (whitelisting) of good machines and give administrator fine grain control over their installed client base and IPSEC rules.

• Development Status: Proof of Concept
• Environment: Win32 Service
• Intended Audience: System Administrators, Developers, Security Auditors
• License: N/A for Proof of Concept
• Operating System: MS Windows 2000/XP/2003
• Programming Language: Python
• Topic: Security