Please see the INSTALL file for installation details.

[ nlog v1.5.3 Release Notes ]


contents:
---------
1: What is nlog?
2: Managing Databases
3: Extending the CGI
4: Extras



(1) What is nlog?
-----------------

NLog is a set of PERL scripts for managing an analyzing your
nmap 2.0 log files.  It allows you to keep all of your scan
logs in a single searchable database.  The CGI interface for
viewing your scan logs is completly customizable and easy to
modify and improve.  The core CGI script allows you to add
your own extension scripts for different services, so all 
hosts with a certain service running will have a hyperlink
to the extension script.  More information on extending the 
core CGI is in Section 3 of this document.


(2) Managing Databases
----------------------

The Nlog database format is as follows:

<ip address>|<number of ports>|<port list>|<status>|<seqindex>|<OS>

The port list is a comma separated list of ports in this format:

portnumber.state.protocol.servicename

This was done for convenience in passing these into PERL arrays
with the split() function.  The script sample.pl included in this
release demonstrates how to write your own scripts that use the
same database format.

To create a new nlog database, you will need a log file generated
by nmap 2.0+ with the -m option.  Then use the log2db.pl script
to convert this into a flat-file database.

When combining 2 or more databases, the best way to do this is:

copy all your databases into a single directory (/tmp/db)

cat * > /tmp/temp.db
cat /tmp/temp.db | sort -u > /tmp/db/final.db

This ensures your hosts will be in alphabetic order and all duplicates
are removed.  The nlog-search.pl script will not detect duplicates in
your database, so they would appear twice.

Copy your database into the directory defined in nlog-config.ph.
Make sure that file is readable by the CGI user and load the
nlog.html page.  For the database field, enter the file name of the
database, NOT the path.  All '..' strings are removed from the path
for security.


(3) Extending the CGI
----------------------

The nlog-search.pl script is easy to customize and extend
with your own CGI scripts.  What this means is that for all
hosts that have a certain service running, you can cause the
service field to be replaced by a hyperlink to a CGI script
and pass the IP address to that script as the QUERY_STRING.

The extensions already included in this package are:

[ nlog-rpc.pl ]

This script is a wrapper for rpcinfo, the location of that
is specified in the nlog-config.ph file in the CGI directory.
If the NFS service is found in the results produced by rpcinfo
Then it attempts to show all current attachments and exports on
that host.

[ nlog-smb.pl ]

This script first tries to do a netbios node status query
on the IP passed to it.  It then uses the first <00> name
received to list all shares, entries in the master browser,
and soem server information.  The username, workgroup, and
netbios name used in these connections can be specified in
nlog-config.ph.

[ nlog-dns.pl ]

This simply runs a nslookup on the IP in questions, and spits
the results back to the results page.  This is the default CGI
handler for the hyperlink shown for the IP address.

[nlog-finger.pl]

This uses a user-defined finger program to query the IP passed to it.
The output is show exactly as the nromal finger program.  To be on the
safe side, it is advisable to use the safe_finger program here that is
inlcuded with the TCP wrappers program.

[ nlog-bind.pl ]

This script is not setup yet, but resides in the extras/bind directory
after you extract this archive.  Read the README file there for help
on setting it up and adding the appropriate entries to nlog-config.pl
and nlog-search.pl




(4) Extras
-----------------

After you extract this archive, you will see an extras directory.
Inside here are two direcotries named bind and decoy.

The bind directory contains the source code and script to create
a BIND Info extension for nlog-search.pl.  The README file contained
there will walk you through the setup.

The decoy directory contains 4 files.

[ decoy.pl ]

This script is for those people scanning from dial-up
accounts that want to stay REALLY anonymous while scanning.
The target hosts think a syn flood is coming from your entire
subnet, thereby losing the tree in the forest as they say.

This script should be placed somewhere in your $PATH

# Usage:  nmap -sS -f -vv -F target.com -D`decoy.pl 100.150.175 200`
#
# Asssuming your IP is 100.150.175.200
# it creates a decoy for every host in your subnet
# and then sends the packets in sequential order...

[ decoylist.pl ]

This is useful for blaming your scans on some other network, or
sending a packet from every other IP that your DNS server has in its
top level.  If you were an evil type, you could create a list
of IP's of people you disliked and use that to decoy your scan from.
Not only would they get blamed, but they would receive a friendly
ACK/RST storm from every host you scan (well depending on the scan type).

# reads decoys from a file, puts them into a comma separated list for
# use with nmap scans.
#
# Usage:  nmap -sS -f -vv -F target.com -D`decoylist.pl /tmp/decoys.list`
#
# the decoy list's format is one IP per line.
# the hostdump.pl script can be used to make
# a decoy list of all IP's in a top level domain.

[ hostdump.pl ]

Just a useful script to collect all the IP's from a host -l 
dump and place them into a file.  Whether to generate an IP
list to scan or a list to decoy your scan from, its pretty handy.

# Usage: ./hostdump.pl domain.com
#
# output is to domain.com.ipdb in your current directory

[ viper.net.ipdb ]

Just a sample IP list generated by hostdump.pl



Anyways, sorry about the messy documentation and happy holidays.

Thanks go out to:

	Fyador for making this useful and writing the
	most comprehensive portscanner the world has
	known. ;)

	Swifty for donating the web/shell space.
	
	Duke for pointing out some glaring security problems.

	And those nice Japanese officials that make scanning
	.jp networks completely legal (fodder for nlog).



	--+ spinux ]
{
	email - nlog.ings.com
	web   - http://nlog.ings.com
}
