trollhunter homepage website last updated: 12. Feb 2003

project hosted by

Description

trollhunter is a tool to view, analyze and monitor Linux 2.4 netfilter/iptables logfiles. There is two basic modes the program can work in. The first is a Perl/TK based analyzation of a set of log messages. The result is colored output which helps the user to easily run over large amounts of log messages yet find points of interest quickly. Once a point of interest has been spotted the user can dig deeper and is presented more detailed information such as the full ip fields, whois lookup and contact addresses. As an alternative trollhunter can follow a stream of log messages in real time mode and report the ongoing activity to a person monitoring the firewall. the analyzation of a log message is based on several factors. the core is a list of ports of known exploits/trojans/viri and so on. additionally the setup of your local network is taken into account. configuration hooks exist to allow trollhunter to apply to some special network architectures (eg. if you have a 'friendly' http proxy you access but it is not in your local network). the toll is also able to detect various ways of stealth scanning (Xmas, SYN/FIN scan etc). trollhunter also offers the use of several ways of filtering. you can filter the output based on severity, ip ports, ip addresses and so on.

Requirements

Software installed: Perl (Veriefied with version v5.6.1 built for i586-linux) this is usually already installed on your system Perl/Tk (Tk::HList, Tk::BrowseEntry, Tk::ItemStyle, Tk::Scrollbar) this is usually already installed on your system Perl module Net::XWhois If you don't have the package you can get it from http://www.vipul.net/perl/ Installing XWhois is easy: untar/unzip, perl Makefile.PL, make, make test, make install Other Requriements: trollhunter does not require special firewall rules or other adjustments to an existing setting. it just needs standard netfilter/iptables log messages as input.

Screenshots

Pictures often say more than thousand words :-). Check out these screenshots to get an impression how trollhunter looks like (click on the thumbnails to get a full size image): trollhunter in analyzation mode, Perl/Tk GUI trollhunter presenting additional information on an interesting log message trollhunter running in real time, command line mode

License

trollhunter is free software published under the GNU General Public License. This basically means you get all the sources and a free to modify it. However you may not benefit commercially from the result and you are required to make all sources, including your changes, available to the public. Please check all the details by reading the file COPYING that comes with trollhunter's .tar.gz package.