ClearRoute Online Help 
QuickStart Guide

Latest Update: 8/03/2003 3:07 PM
MD5 Signature: 689B6E69A88AB38C820414DC5B075A82

Check MD5 with this tool

Top Virus Alerts! 

Before reporting attacks it is necessary to determine the level of threat to your system the attack poses.  The reporting of attacks could have been more automated, however, the choice not to do so is a very conscious one on my part for a very good common sense reason.  

It is imperative that good old human judgment be used in determining what attacks should actually be reported.  

Do NOT report attacks from the Shields Up web site as these are not actual attacks!

Thanks, 
Ben E. Brady
Brady & Associates, LLC.

Step 1. Configuration
Go to Options, point to the Security.log file in the \Program Files\WinRoute Pro\Logs folder. 
Enter the path to your favorite WhoIs trace utility. ClearRoute ships with an interface to SmartWhoIs called SWLAUNCHER.EXE.  It will also work with NeoTrace from NeoWorx.

Click OK to save the Options settings.

Step 2. Importing the WinRoute Log file
Go to the File menu and select File|Import Log file.  You will do this whenever you start the program.  (Future enhancments will allow this to happen automatically when you start the program.)

When the import is finished, you should make a backup copy of the Security.log file and then delete the Security.log file and let WinRoute create a new one.  (I need some feedback from users about how they would like this handled in the next release)

Step 3. Analyzing the data

Go to the Browse Menu and select WinRoute Interceptions to see the imported data.
Click on any of the tabs on the screen to sort the data in the order desired. 
Clicking on the Date & Time tab sorts in DESCENDING order. Newest attack first.

NOTE: Clicking on the column heading for TIME will sort the records by time, but the display of the data may NOT be what you expect. The proper way to sort on the TIME column is to use the Date & Time TAB.  This index is purposely set to display the data in the format of most recent attack first.


Step 4. Reporting the Attacks - Quickstart instructions
Highlight any of the attacks in the browse and click on the WhoIs button. If you have entered the path to the executable of your favorite WhoIs utility it will be launched and the IP address of the highlighted attack will be appended to the command line.  Make note of the email address to send your comments regarding the network.  Usually, you can send abuse reports to abuse@domain but this is not in all cases.

NOTE: I have included SWLAUNCHER.EXE with ClearRoute in order to provide an interface to SmartWhoIs. So far, this is the only WhoIs utility I have found that will take an IP address on the command line.  I will be working on my own utility for this but it will take some time to get completed. In order for the WhoIs button to be activated you MUST have the path to the executable file of your WhoIs utility in the Options screen.  If you would like to purchase SmartWhoIs, use the following link Purchase SmartWhois.

  WhoIs Query

NEW! (v 1.3) You can now do a WhoIs query from within the program itself. If you are not using any of the third-party WhoIs utilities mentioned above the internal WhoIs will be used. In order to use any of the third-party utilities, you must go to the Options screen and select the External WhoIs checkbox. Then you can enter the path and filename of the utility you would like to use.

Highlight any of the attacks and the "Email Attack" button will allow you to copy the attack details to the clipboard so you can email them to the attacker's ISP.  

Open your email client, enter the email address of the ISP into the "TO:" field, enter an appropriate subject line and then place the cursor in the body of the email message and paste the attack details into the message.  (CTRL-V works as well)  Send the email.

If you would like more details regarding the reporting of attacks, click HERE!

Your feedback is appreciated!
I am actively seeking input from you, the users, to determine the development direction of the product. What other features would you like to see?  Have an idea or a suggestion?  Please lick on the email link below and send me your comments.

Ben E. Brady
Brady & Associates, LLC.

Version History:

ClearRoute Pro 3.1 Released August 3, 2003
New HTTP log analysis module.  Rapid import of HTTP log information with detail and summary analysis of URLs visited by IP Address, user name and by date.  click for screenshot

ClearRoute Pro 3.0 Released May 9, 2002
NEW FEATURES!
New Query Wizard, Report Wizard and Export Wizard for faster filtering
The graphing engine has been replace, all features are not yet implemented, please watch for updates.
Due to piracy of earlier versions, we have had to implement mandatory registration and licensing renewals.
NOTE: All ClearRoute licenses are for a period of 1 year.

Special Edition - 2.1 Released April 2, 2001
 Added ability to clear ClearRoute database file prior to importing new log entries.
Added capability to recognize log entries where the Source IP and Destination IP is the same.
Added column coloring to display "private" network IP addresses. 
Added column header sorting for alternate sort orders.
Added Graphing, HTML and CSV output.
Modifed QBE to use more intuitive interface for submitting queries.
Modified resizing of window controls for maximizing the application.
Modified the layout of the Browse window to display the data more appropriately.
Modified import procedure to speed up import of very large files

Special Edition - 2.0 Released March 26, 2001
Added hardcopy reporting of log entries.
Added Query by Example functionality to browse.
Added MD5 signature calculations to import process to eliminate duplicate records.
Added record tagging and browse filtering based upon tagged records.
Added batch delete of records or tagged records from database.
Modified import process to increase speed of imports.

1.7
Added scroll bars to the port text information boxes in the browse window.

1.6
Added update technology from Digital Transit and made some minor corrections to the user interface.

1.5
Changes made to the URL links in the application to point to the Firewall Reporting website for Online Help file.

1.4
Increased the number of categories for the graphing option. 
Modification to the Purchase ClearRoute button to make purchasing through PayPal even easier!

1.3
Added message to be displayed to user when Email Attack button is pressed to alert them of the copying of the attack details to the clipboard.

1.2
Added new functionality for the use of an INTERNAL WhoIs query. This will allow you to use the internal code for querying the ARIN database or use an external program like SmartWhoIs or NeoTrace.

1.1
Added port descriptions to display attack information based upon port numbers for Source and Destination ports.

1.0
 First public release.

A Deeper Explaination of reporting attacks

If you have an attack that you want to report, highlight it in the browse list and press the WhoIs Trace button.
 
Depending on whether or not you are using an external WhoIs query tool such as SmartWhoIs or NeoTrace or the internal WhoIs query you will get somewhat different results.  I will explain this using the internal Whois query.
 
The IP addreess of the intruder is "controlled" by the ISP.  The WhoIs query results will usually show you what organization controls the address in question, but sometimes it takes a little more digging and sometimes an educated guess depending on what results you get.
 
The main information you want to see is what the DOMAIN is for the IP address. The best place to look for this information is the email address of the domain co-ordinator (if that is shown in the query results) This will show up as something like (but not exactly, these are just examples) admin@sprint.net or <some name>@aol.com or admin@earthlink.net to name a few. 
 
Once you have the domain name, then you have to determine what the email address is to send the actual report in order to report the attack. Most ISPs use 'abuse@<domain.org>' as the recipient for emails concerning abuse of their service. This is not always the case.  Sometimes you will send an email and get a bounce back telling you that was not the proper address. In which case you should then send it to 'admin@<domain.org>'
 
So now you have the email address.  The next step is to collect the attack information into the Windows clipboard. You do this by pressing the "Email Attack" button. The details of the attack get copied to the clipboard and then you get a message instructing you to start a new email message and paste the contents of the clipboard into the body of the email message. 

To do this, start your email program, Outlook Express, AOL, Netscape, Pegasus, etc... and compose a new message.  Address it to the email address that you found by researching the WhoIs information. 

 
Put your cursor in the body of the email message and do a CTRL-V or a right-click on the mouse and select PASTE from the popup menu. (I find CTRL-V easier). Put a subject on the message, I ususally use "Suspicious activity by your subscriber" in the subject line and then press Send.
 
When you have completed this, you will see a little green ball beside the entry in the Browse on the attack that has just been reported to let you know that you have taken some action on that particular attack.
 
Now all you will have to do is wait for some sort of response from the ISP regarding the message. Some will send you an auto-responder and some will actually be from a person that is investigating the attack.  There are a few ISPs that tend not to respond (Bellsouth comes to mind) but I am sure that if you press the issue you can get some sort of response.  If sending it to abuse@ doesn't work, then send it over their heads to the administrator.