# -*-mode:text-*-
# $Id: README-JP,v 1.14 2004/06/01 05:59:05 hironobu Exp hironobu $
#
# Copyright (C) 1999-2004 Hironobu SUZUKI <hironobu@h2np.net> 
#
# Name: CLSCAN --- Common Log Scan, Analyze for the common security logs
# Author: Hironobu SUZUKI <hironobu@h2np.net> and many contributers
# License: GPL version 2 ( see http://www.gnu.org/licenses/gpl.txt)
# Clscan Official Mail Address:   clscan@h2np.net
#

* clscan --- ƥϤġ

롼ΥTCPWRAPPERΥϤ뤿Ѥ˺줿ʰץġ
ǤɸϤͿޤϤˤϥƥȥ⡼ɡHTML⡼ɤ
ݡȤƤޤstatform.plclscanǺ줿HTMLե뤫
ޤHTMLե륵֥ץǤ

	[] clscanϤĤΤޤlscanȤ̾ΤǤ
	Ʊ̾ǡ褦ŪΤ˻Ȥʥġ
	¸ߤƤΤǺƱ򤱤뤿clscan (Common Log Scan
	Tool)Ȥ̾Τѹޤ

* ݡȤƤ

    롼
	MN128եߥ
	CISCO1003
	CISCO2500
	YAMAHA RTեߥ
	NetVehicle
	NEC COMSTARZ
	IODATA NP-BBRեߥ
        NTT-ME BA8000Pro 
        NTT-ME MN8300w (ݡ)

    ġ
	TCPWRAPPER
	IP Filter
	iptables

* ץ

  clscan [option]
	-config=եե
	-outputformat=եޥå (html,text)

		ex) clscan -outputformat=html 
                    clscan -outputformat=text

	-logfile=ϥե
	-htmlfile=HTMLե
	-textfile=TEXTե
	-sitename=(name|no) ̾Υ꥾


   perl $CLSCANHOME/bin/statform.pl [option]
	-help Ȥ

* եեեޥå

$CLSCANHOME/etc/sample-class-conf  $CLSCANHOME/etc/paranoid.conf
ͤˤʤޤ

** Class 

饹ȤϡФץȥФɤΥ٥ǽ뤫
ҤޤɽϼΥꥹȤˤʤäƤޤ

	饹(Alert,Warn,Ignore)[]ӥ̾[]ץȥ

饹Alert(ٹ)Warn()Ignore(̵)ΣĤΥ饹ޤ
ӥ̾ȤϤsmtpȤtelnetȤäӥ̾Ǥ

ץȥϡȤƥˤäɽ㤤ޤMN128CISCOʤɤ"
ݡֹ/ץȥ"ȤäɽǤ

	ex: (mn128.conf/cisco1003.conf etc.)
	Alert pop3  110/tcp

TCPWRAPPERinetd.confǻȤ褦ʥץȥǡɽȤʤ
Ƥޤ

	ex:(tcpwrapper.conf)
	Alert pop   ipop3d


	[]
	alertwarningȤignoreΤѤ륵Ȥ
	Ķˤ롣Υ򤹤٤Ƥ䤷Ƥ롼(
	)ǤäƤ⳰饢Ԥ뤳ȤΤդ
	줿㤨СɤftpԤեɤ褦
	Ȥ桼γǧ򤹤뤿113/tcp (in.identd)ʤɤǧ
	ڤΤ˥礬롣ޤ80/tcp(httpd)ʤɤϸ
	ȤʤɤξΤ˥ԤäƤ礬
	(ޤ긭ˡȤϻפʤ...)

	ΤŪˤϲʥǤ뤫ʥ
	Ǥ뤫ϰդ˷뤳ȤϤǤʤȤԤ
	ΥƥݥꥷȡΥͥåȥѤξＱۤ
	ȽǤʤФʤʤ

   Ignore: ̵ꤷ硢Υץȥ˴ؤƤεϿ̵뤵
   ޤĤޤϷ̤ˤϡɤˤ⤽ξ󤬸ʤȤȤ
   ʤޤ


饹ɸॵץեѰդޤ

	$CLSCANHOME/etc/sample-class-conf 


* 󥹥ȡˡ

	Step 1: tarŬʾ˥֤Ÿ
	(ѥåΥǥȥӥ塼󡦥ǥ쥯ȥˤʤޤ)
	
	% tar xzvf  clscan-01.tar.gz

	Step 2: Ŭʾإԡޤ
	(ѥåΥۡǥ쥯ȥˤʤޤ)

	% cp -r clscan_dist /usr/local/clscan

	Step 3: clscanΥۡǥ쥯ȥ˰ưconfig.sh¹Ԥޤ

	% cd /usr/local/clscan
	% sh config.sh
	Package directory is /usr/local/clscan
	Package bin is /usr/local/clscan/bin
	Package etc is /usr/local/clscan/etc
	Package lib is /usr/local/clscan/lib
	Package doc is /usr/local/clscan/doc
	Sure? [n/Y] Y <--褱"Y"Ϥޤ
	2921
	#
	3048
	done 
	%

* clscanˡ

ޤƥ˴ؤsyslogͳǵϿƤ뤳Ȥ
ʲ夲ޤ


** MN128Τˡ

	% clscan -config=$CLSCANHOME/etc/mn128.conf -outputformat=html  \
                     < MN128Υ > foo.html

** CISCO1003Τˡ

	% clscan -config=$CLSCANHOME/etc/cisco1003.conf -outputformat=html  \
                     < CISCO1003Υ > foo.html

** CISCO2500Τˡ

	% clscan -config=$CLSCANHOME/etc/cisco2500.conf -outputformat=html  \
                     < CISCO2500Υ > foo.html

** YAMAHA RTΤˡ

	% clscan -config=$CLSCANHOME/etc/rt80i.conf -outputformat=html  \
                     < YAMAHARTΥ > foo.html

** NetVehicleΤˡ

	% clscan -config=$CLSCANHOME/etc/NetVehicle.conf -outputformat=html  \
                     < NetVehicleΥ > foo.html

** COMSTARZˡ

	% clscan -config=$CLSCANHOME/etc/comstarz.conf -outputformat=html  \
                     < ComstarzΥ > foo.html

** IODATA NP-BBRˡ

	% clscan -config=$CLSCANHOME/etc/iodatanpbbr.conf -outputformat=html  \
                     < NP-BBRΥ > foo.html

** NTT-ME BA8000Proˡ

	% clscan -config=$CLSCANHOME/etc/ba8000.conf -outputformat=html  \
                     < BA8000ProΥ > foo.html

** NTT-ME MN8300Wˡ

	% clscan -config=$CLSCANHOME/etc/mn8300w.conf -outputformat=html  \
                     < mn8300wΥ > foo.html



** TCPWRAPPERΤˡ

    % clscan -config=$CLSCANHOME/etc/tcpwrapper.conf -outputformat=html  \
                     < tcpwrapperΥ > foo.html


** IP FilterΤˡ

    % clscan -config=$CLSCANHOME/etc/ipf.conf -outputformat=html  \
                     < ipfΥ > foo.html

	[] 
	ipf ǤФ log  none-lookup  option ΤΤǤ
	FQDN ϥݡȤƤޤ


** iptables Τˡ (NEW)

    % clscan -config=$CLSCANHOME/etc/iptables.conf -outputformat=html  \
                     < SYSLOG_OF_IPTABLES > foo.html


**  statform.plλȤ

   % perl statform.pl -clscanfile=$SAVEDIR/$FNAME.html  \
      -htmlfile=$SAVEDIR/$FNAME.stat.html 

	-clscanfile=input_clscan_format_html
	-htmlfile=output_html_file

** ǥեȤΥե졼

Ϥ롼ࡢ뤤ϥġबξ$CLSCANHOME/etcˤ
ǥեȤΥե졼եclscan.conf˵ҤΤɤ
Ǥ礦ȤTCP_WRAPPERǥեȤȤʤtcpwrapper.conf
clscan.conf˥ԡޤ

	% cp tcpwrapper.conf clscan.conf
        % vi clscan.conf
---ѹ---
	#
	outputformat  text <-- htmlѹ
---ѹ---
	#
	outputformat  html
---
	% clscan < tcpwrapperΥ > foo.html

* ե졼Tips

ե졼եϣģĤΥȤǰ㤦ϤǤǥե
ȤˤĤ륳ե졼եϡޤǤȹͤ
ΥȤǤϤΤ褦ʱѤ򤷤Ƥޤ

  % cp $foo/etc/tcpwrapper.conf  ~/lib
  % vi mytcpwrapper.conf  
  Ȥ˲碌
  % clscan -config=$CLSCANDIR/etc/mytcpwrapper.conf -logfile=/var/log/secure



* 

** ᡼ (HTMLݡMUA)

---
% clscan <  | uuencode ALERTTLIST.htm | mail -s 'LOG' your_address 
---

** ޥɲ

---
#! /bin/bash
FNAME=`date +'mn128-%Y%b%d-%H%M%S'`
$CMD=/usr/local/clscan/bin/clscan
$CONF=/usr/local/clscan/etc/mn128.conf
$LOG=/var/log/mn128
$CMD -config=$CONF -logfile=$LOG -outputformat=html  -htmlfile=$FNAME.html
---

* UPDATE INFO

See ChangeLog

* Х

	clscan@h2np.net

ХθݤȥХƸ뤿ΥǡѰդƸϢ

* ᡼󥰥ꥹ

򴹤ΤΥ᡼󥰥ꥹȤޤäˡΤꤿ
clscan-ml-ctl@mail.h2np.net˥᡼ΤguideȰ񤤤᡼
äƤ

        ----
	To: clscan-ml-ctl@mail.h2np.net
	Subject: (ɬפޤ)

	guide
        ---


* SPECIAL THANKS TO:

  (Naohiro HONDA)
ʿ  (Ҥ Ҥ)
NetVehicle Web Master 
  (Kenichi OHWADA )
¼ ɧ (Teruhiko Shinmura)
   (S. Kajino)
桡ɵ (Yoshihisa Kayanaka)
  (Tsuyoshi KAWABE)
 ˧ (Yoshiki SUGIURA)
Shinichirou Ohhara
