Product Reviews
April/2001

 
ZoneAlarm Personal Firewall Box "ZONELOG ANALYZER V0.45 beta"
The Perfect Add-on To ZoneAlarm Personal Firewall

Reviewed By:
Walter Petelka
Director of Online Services, The Personal Computer Club of Toronto.

To utilize ZoneLog Analyzer you must have ZoneAlarm, a popular free firewall for personal computers. ZoneLog Analyzer will also work with ZoneAlarm Pro, the commercial version. Both ZoneAlarm programs can be obtained at http://www.zonelabs.com If you are you concerned about protecting yourself from intrusions/attacks while online then a simple solution is to install a firewall. There are a number of commercial firewalls but for the average computer user, who is not running mission critical programs, I highly recommend ZoneAlarm. It has a log feature that will record the activity that takes place while you are online. The entries show the following information:

Type, Date, Time, Source (IP & port), Destination (IP & port)and Transport

An example of the type of entry is:

FWIN, 2001/03/15, 06:09:32 Ė5:00GMT 216.136.80:2257, 216.154.6.232:113, TCP.

FWIN: indicates that the firewall blocked an inbound packet of data coming to your computer. Some, but not all, of these packets are connection attempts. Also you should keep in mind that the information provided in the Zonealarm log is only a guide. It is up to you, the user, to decide if an attempted connection was a genuine threat or just background noise. Contained within this entry is the information needed to find out who sent the message and there are a number of third party utilities that will decipher the information.

One that I have found is Zonelog Analyzer, and it is also free. I found it simple to install and use. It is a 2MB download and will take up approximately 4MB on your hard drive and will function with WIN9X, NT and WIN2000. It does have two requirements:

  1. Within Zonealarm you must activate the log feature in the ALERTS section: ALERTS setting/Log alerts to a text file.
  2. You will also require the Visual Basic 6 runtime files.

Once you have downloaded the Zonelog file it is simply a matter of clicking on zlsetup icon and you are away to the races.

A program group will be setup and it is recommended that before you enter the program that you open the readme file. Next I would drag the Zonelog icon to your desktop and make a shortcut to the program.

Clicking on the Zonelog icon will bring up the log screen which imports the entries from your Zonealarm log. These entries will be colour coded and identified in a box in the upper right hand corner of the screen. The labels are Unknown, DoS, Outgoing, Harmless, Scan, Attack and Trojan but again keep in mind these are labels only and you must make the final analysis.

Clicking on any log entry will take you to the Log Entry Detail screen which shows you an Info box that gives you some details about the type of entry, a Source detail box, Destination detail box and Port Detail.

The details form presents the log information for each entry in such a way as to make the information a little more understandable. A note in the top right corner will describe the type of connection that was attempted and give pointers as to what you should do to find out more.

The buttons at the top left allow you to move through the records of the main listing by going to the First entry, Previous entry, Next entry, and Last entry respectively.

Below these buttons are the date and time of the attack and the transport used, there is also a field marked 'Type' which is the type of attack logged by Zone Alarm, details of which are described in the Information box.

The lower section of the form displays the Source and Destination details, if the attack was incoming then the Destination would be your machine and so the box would be labeled to show this, if it was an attempt to connect to the net from your machine then your machine is the Source which will also be labeled as such.

The Source and Destination boxes will provide the following information:

  • The IP address, if the attempted connection was outgoing then the name of the application that tried to connect will be displayed in the Source address field.
  • Under the IP address field is the DNS lookup field, to look up the DNS name of the IP address simply click the 'Lookup' button to the right, you will need to be logged on to the internet to perform this function. If you have previously looked up the name then it will have been stored in the ZoneLog database and will appear automatically, you may click the 'Lookup' button to confirm/update the entry if you wish.
  • You can also enter a host name manually by clicking the right mouse over the DNS field and selecting 'Edit'.
  • To the right of the IP address is the Port which was used, clicking on the 'Details' button next to this will give any known details about this specific port in the text box at the bottom of the form. The information at the top right of the form will indicate which port you should be looking at to ascertain the nature of the connection.
  • The WHOIS Lookup buttons to the right of the source/destination boxes will launch your default web browser and perform a lookup on your preferred WHOIS web site, the default is the SamSpade tools site which gives details of the domain name, who owns it, the IP block, and a traceroute from SamSpade to the address given.
  • You can set up your own WHOIS lookup site in the Options and I selected the Geek Tools as the WHOIS web site and was very impressed with the detail.
  • The Tag button will add the IP address, as friendly or unfriendly, to your Tagged Addresses list and you can choose to be informed if this IP address shows up during an import.
  • You can copy the IP addresses and DNS names to the clipboard from the appropriate fields with the right-mouse button, simply place the mouse over the desired data and select 'Copy' from the context menu.
  • At the bottom of the form is a button marked 'Prepare email report', this will draft a standard email body text containing all the relevant information that should be posted to the host ISP's abuse department should you wish to report an intrusion attempt. Simply copy it to the Clipboard and paste it in your email client with the appropriate email address. This address will be listed in the WHOIS report.
  • There are a number of other features that you might find useful: IP/Port Analysis, Attack Analyzer, and Activity Summary.
  • There is also a comprehensive HELP section.

Hopefully this program will help you make some sense of the "attacks" and the price is right, "free".

I would like to leave you with a few more thoughts:

  • Security of your computer is your responsibility.
  • Security is 90% common sense and 10% technology. Donít open unsolicited and unknown attachments.
  • Donít send an attachment that has not been virus scanned.
  • If you are probed or attacked make it your mission to track down the culprits and report them to at least their service provider but if they are hiding behind anonymous emails report it to your service provider.

System requirements
As noted this is a beta version and the developer has targeted April, 2001 as the release date for the commercial version. He expects it will sell for around $20 CDN. It works with WIN 9X, NT and WIN2000. It is a 2MB download and will take up approximately 4MB on your hard drive. I am running it on a P166 with 32 MB Ram and am not encountering any problems.