SonicWall logs reset

[ComputerShaman]

I have a question pertaining to firewall logs.

Situation: On Monday morning at about 9:30 am I walked by a classroom at the college where I am the network admin and noticed several students had the "Blocked website" message on their screens. The instructor had a URL on the board that we had forbidden. I made a mental note to print the firewall log to present to the Director. It was not a major issue at this time though, the site is not that bad, but we still do not want students accessing it.

On Tuesday morning I went to the log files and noticed they begin at 10:30 am on Monday, precisely the time the class is over for the period. My first reaction was that the instructor went into the firewall, unauthorized, and reset the logs. It is possible he could have had access to the password at some time in the last month, however he was not given the password. The Dean had written it onto a network map that he had access to though.

I checked the server and he did log into the network on a classroom computer at the end of class, but the event log does not show his activity. He logged in, and a minute later he logged off. Just enough time to reset the logs if he wanted to.

With the logs beginning at 10:30, there is nothing about the blocked websites, nor any administrator activity prior to that time. From 10:30 on I just see the basic day-to-day activities that I normally see.

My question is: Is it possible that the logs reset by themselves in any way. The allegation is serious (unauthorized activity on the school's firewall) and I want to be sure before I pursue it farther. They are setup to send email every week at midnight Sunday night, and I have never seen them reset at any other time.

On my computer IP addresses do not seem to show up in IE History, so is there a way I can check the computer he logged into and see if he went to the firewall? I checked the computer's event log and it doesn't show anything helpful.

Any help is appreciated.
Thank you!

Computer Shaman

 

[ThunderForest]

I have a TZ-170. I believe if the Sonicwall is powered down, a new log begins and the old one is lost. Hypothetically speaking, the instructor could have 1) logged on to the Sonicwall, 2) changed the setting, 3) completed his lecture, 4) put the setting back on the Sonicwall, and 5) powered it down and up.

Getting answers before I'm asked
is why I go to Tek-Tips.

http://www.thunderforest.bizland.com

 

[ComputerShaman]

The Sonicwall is on a battery backup in a locked room.
However, I did verify that the password was vulnerable at some point a while back. I have changed it, needless to say. Looks like he reset the logs at the end of class, but there is no hard evidence. This does add one more nail to his professional coffin though. What a shame. Guess he doesn't take Network security and campus protocol very serious. To enter an unauthorized Network area and destroy logs is no different than sneaking into an office and shredding important documents.

Thanks for the response!

CS

 

[karmic]

Does your firewall have syslog capability? If so get it running on your server or other secure pc. I use kiwisyslog at every site and dump all debug to it.

Someone posted this code a while back that scans the "index.dat" files on any local computer. I don't know who it was that wrote it but it works like a charm.

Copy and paste the following code into notepad and save it as iespy.htm.
Run it on the local computer you want to scan, you might get lucky and find any links that he/she's been surfing...
_____________________________________________________________

<HTML><HEAD><TITLE>IE Spy - by Vengy</TITLE></HEAD><pre>

<script language="VBScript" TYPE="text/vbscript">

' ======================== Let The Games Begin! ========================
' Contact Info
' ------------
' Author: Vengy
' Email : cyber_flash@hotmail.com

' How it works
' ------------
' INDEX.DAT files keep a list of websites you have visited, cookies received and files opened/downloaded.
' As a result anyone can find out what you have been doing on the Internet!
'
' This program scans all history index files looking for any HTTP:// or FILE:// entries.
' If found, they're stored in a file called C:\SPY.HTM along with the user.

' Aside: This program invokes a local windows program called FIND.EXE to
' parse the index.dat files. (I was too lazy to code it myself.

' Have Fun! (-_-)


' ======================== The Banner ========================
document.writeln "INDEX.DAT files keep a list of websites you have visited, cookies received and files opened/downloaded."
document.writeln "As a result anyone can find out what you have been doing on the Internet!"+VBNewLine
document.writeln "This program scans all history index files looking for any HTTP:// or FILE:// entries."
document.writeln "If found, the User/URL's are stored in a file called C:\SPY.HTM."+VBNewLine


' ======================== ActiveX Warning ========================
MsgBox "NOTE: Please click 'Yes' if prompted with the following message:"+VBNewLine+VBNewLine+"An ActiveX control on this page might be unsafe to"+VBNewLine+"interact with other parts of the page. Do you want to"+VBNewLine+"allow this interaction?"+VBNewLine+VBNewLine+"Click OK to start Spy scan ...",vbOKOnly,"Welcome"


' ======================== Setup Objects ========================
Dim oFSO : Set oFSO = CreateObject("Scripting.FileSystemObject")
Dim arrFiles : arrFiles=Array()
Dim oWShell : Set oWShell = CreateObject("WScript.Shell")


' ======================== Locate Index.Dat Folder ========================
' ---> WINXP/2K
If oFSO.FolderExists("C:\Documents and Settings\") Then
index_folder = "C:\Documents and Settings"
' ---> WIN9X
Elseif oFSO.FolderExists("C:\windows\") Then
index_folder = "C:\windows"
' ---> Browse For Folder
Else
index_folder = fnGetMyPathVB
End If


' ======================== Start Spy Scan ========================
If index_folder="None" Then
MsgBox "No Specified Folder. Scan Aborted."
Else
Set oStartDir = oFSO.GetFolder(index_folder)
sFileRegExPattern = "\index.dat$"
RecurseFilesAndFolders oStartDir, sFileRegExPattern
DisplayResults
End If


' ======================== Find ALL Index.Dat Files ========================
Sub RecurseFilesAndFolders(oRoot, sFileEval)
Dim oSubFolder, oFile, oRegExp
Set oRegExp = New RegExp
oRegExp.IgnoreCase = True

window.status="Scanning: "+oRoot

If Not (sFileEval = "") Then
oRegExp.Pattern = sFileEval
For Each oFile in oRoot.Files
If (oRegExp.Test(oFile.Name)) Then
If (InStr(oFile.Path,"History.IE")<>0) Then
ReDim Preserve arrFiles(UBound(arrFiles) + 1)
arrFiles(UBound(arrFiles)) = oFile.Path
End If
End If
Next
End If

For Each oSubFolder In oRoot.SubFolders
RecurseFilesAndFolders oSubFolder, sFileEval
Next
End Sub


' ======================== Display Results ========================
Sub DisplayResults()

Dim sReadLine, sArray, start, count,ub
Const ForReading = 1

Window.status="Scanning ..."

Set oTextStream = oFSO.CreateTextFile("C:\spy.bat")
oTextStream.Write "echo off"+VBNewLine

count=0
ub=UBound(arrFiles)
For Each elem In arrFiles
count=count+1
document.writeln elem
oTextStream.Write "echo Remaining Scans: "+CStr(ub+1-count)+VBNewLine
oTextStream.Write "find "+chr(34)+"

http://"+chr(34)+"

"+chr(34)+elem+chr(34)+" >>c:\spy.txt"+VBNewLine
oTextStream.Write "find "+chr(34)+"file://"+chr(34)+" "+chr(34)+elem+chr(34)+" >>c:\spy.txt"+VBNewLine
Next

oTextStream.Close

If count=0 Then
Window.status="Aborted."
MsgBox "No Index.dat files found. Scan Aborted."
Exit Sub
End If

oWShell.Run "c:\spy.bat", , True

oFSO.DeleteFile "C:\spy.bat"

If oFSO.FileExists("C:\spy.htm") Then
oFSO.DeleteFile "C:\spy.htm"
End If

Set oTextStream = oFSO.CreateTextFile("C:\spy.htm")
Set oFilein = oFSO.OpenTextFile("c:\spy.txt",ForReading)

oTextStream.Writeline "<html><title>IE is spying on you!</title><body><b>Welcome</b><br><font size=2>"

Do While Not oFilein.AtEndOfStream
sReadLine = oFilein.ReadLine
start = Instr(sReadLine,": ")
If start <> 0 Then
sReadLine = Mid(sReadLine,start+2)
sArray = Split(sReadLine,"@")
oTextStream.Write sArray(0) ' User
oTextStream.Writeline " <a href="+sArray(1)+">"+sArray(1)+"</a><br>" ' Visited URL
End If
loop

oTextStream.Writeline "</font><b>End of Report</b></body></html>"

oFilein.Close
oTextStream.Close

oFSO.DeleteFile "C:\spy.txt"

Window.status="Done"
document.writeln "<b>Scan Completed.</b>"
MsgBox "Please check C:\SPY.HTM for details. Thanks!",0,"Spy Scan Completed."
oWShell.Run "C:\PROGRA~1\INTERN~1\IEXPLORE.EXE C:\SPY.HTM"

End Sub


' ======================== Specify Custom Index.dat Folder ========================
function fnGetMyPathVB()
dim oShell
dim oFolder
dim oFolderItem

set oShell = CreateObject("Shell.Application")
set oFolder = oShell.BrowseForFolder(0, "Choose a Folder", 0)

If oFolder is nothing Then
fnGetMyPathVB = "None"
Else
set oFolderItem = oFolder.Items.Item
fnGetMyPathVB = oFolderItem.Path
End If
end function


' ======================== End Of VBscript ========================
</script>

</pre></HTML>


__________________________________________________________

Good luck.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[vengy1]

Hi,

The vbscript has been updated to a better version.
Please visit:

http://www.codeproject.com/vbscript/Internet_Explorer_Spy.asp

 

[karmic]

Sweet

Thanks for the update. Many people have been shocked at what it reveals...

~ K.I.S.S - Don't make it any more complex than it has to be ~