Changelog for CVTWIN

(Check http://www.dshield.org/windows_clients.html for the most recent version of CVTWIN.)

11/18/2009 2.0.22 Updated 'Kiwi WatchGuard Edge E' converter to also work with the 'WatchGuard X20e' firewall. Thanks to Randy Kraft for helping with this.

10/13/2009 2.0.21 Fixed logging when using the '-noui' option when using uploading with HTTP. See the entry for 11/13/2007 2.0.11 for info on uploading your log with HTTP. This is an option if you can't send your log as SMTP. (Error detection for uploading as HTTP is weak. If uploading as HTTP works, it works. But if it doesn't work, CVTWIN might not detect an error.)

07/03/2009 2.0.20 Updated Kiwi Zytel to not reject "ACCESS DROPPED" logs. Thanks to Daniel Salzedo for helping with this.

04/02/2009 2.0.19 Fixed Time Zone offset logic for British Summer Time. Thanks to Tony Hall for helping with this.

Added new converter for BitDefender firewall. Thanks to Nick Butter for helping with this.

03/31/2008 2.0.18 Updated EFF converter to convert more valid log lines. Thanks again to Gary Weaver for helping with this.

03/26/2008 2.0.17 Updated ESS converter to fix a bug with timestamp conversion.

03/23/2008 2.0.16 Updated ESS converter so that it converts more usable log lines. Thanks again to Gary Weaver for helping with this.

03/21/2008 2.0.16 Fixed a bug with timestamp conversion for new ESET Smart Security firewall (only). ESS users should not use CVTWIN 2.0.15.

03/20/2008 2.0.15 Added new converter for ESET Smart Security firewall. Currently, you must manually export a log with the "TXT" option. Thanks to Gary Weaver for helping with this.

02/11/2008 2.0.14 Updated Kiwi Netgear converter to work with Netgear FVS318v3 router. Thanks to Alexander Haeusermann for helping with this.

11/15/2007 2.0.13 Wrote a new converter for the Astaro firewall. You need to log into the router and save the ips.log and packetfilter.log logs to your disk. Then configure CVTWIN to use one of these logs. CVTWIN will automatically process both logs, no matter which one you configure CVTWIN to use.

Thanks to Bryant Smith for helping with this.

11/14/2007 2.0.12 Fixed Enable/Disable bug in 'File/Upload to...' feature.

11/13/2007 2.0.11 Added a new method up transmitting logs that we hope will eventually replace using email and all the fun of configuring the SMTP server. This is still in the experimental stage, but we'd like people to try it. For now, it works like this:

Edit your CVTWIN.INI file (Edit/Edit CVTWIN.INI) and add this variable:

sndHTTP=http://www.dshield.org/post.html

Then stop CVTWIN and start it again. Do a conversion. Under the 'File' menu, you should now see

Upload to http://www.dshield.org/post.html

Use this instead of 'File/Email to reports.dshield.org' to send the log to DShield. If you have the 'sndHTTP' variable defined and if you use the '-noui' option to run CVTWIN from the task scheduler, CVTWIN will use this 'upload' method instead of using SMTP (email)

Please try this method. If you have any problems with it, write us at info@dshield.org with the particulars. TIA.

10/3/2007 2.0.10 Updated Kiwi Linksys RVS2000 converter. Thanks to Jim Leininger for helping with this.

9/28/2007 2.0.9 Added new conver for logging software that will be available for the Belkin F5D7633-4 router. This logging software is currently beta, so F5D7633-4 users should write us at info@dshield.org if the released software changes such that this new 'Belkin' converter doesn't work. TIA. Thanks to Roger Mew for helping me with this.

9/19/2007 2.0.8 Added new converter for the Linksys RVS2000 router, using Kiwi Syslog Daemon. Thanks to Jim Leininger for helping with this.

9/5/2007 2.0.7 Added new converter for Corega CG-WLBARGMO router. Thanks to Chuck Johnston for helping with this.

8/7/2007 2.0.6 Updated the Kiwi D-Link DI-604 converter to work better with D-Link DIR-655 wireless router logs.

7/13/2007 2.0.5 Wrote a new converter for 3Com routers using Kiwi Syslog Daemon. Thanks to Stephen Price for helping with this.

6/28/2007 2.0.4 Wrote a new converter for the Airlink101 AR504 router.

6/27/2007 2.0.3 Wrote a new converter for Watchguard Firebox X Edge E Series using Kiwi Syslog Daemon. Use the "Kiwi Syslog Daemon (WatchGuard Edge E)" converter. Thanks to John J. Le Tellier for helping with this.

6/19/2007 2.0.2 Added support for auto-detecting a newer version of Agnitum Outpost Firewall Pro. Thanks to Jonathan Esker for helping with this.

5/29/2007 2.0.1 Minor updates to make CVTWIN be a bit more resilient to issues I noticed while investigating Vista.

Vista note 1: I found that the Windows firewall log in Vista is now heavily read protected. If you try to convert 'Windows Vista Firewall' and get this error:

Error opening C:\Windows\system32\LogFiles\Firewall\pfirewall.log

Error # 75 was generated by Project1
Path/file access error

Then you need to run CVTWIN as administrator. Right click on the CVTWIN shortcut and choose "Run as administrator."

Vista Note 2: Thus far, I haven't figured out how to get CVTWIN to run from the Task Scheduler. If Note 1 applies to you, then you definitely won't be able to run from the Task Scheduler, because you can't automate 'Run as administrator'. I'm still working on this.

Vista note 3: I have received one report that CVTWIN doesn't run properly on the 64 bit version of Vista. (MSINET.OCX didn't register.) At this time I have no way of testing this. CVTWIN *should* install and run properly on the 32 bit version of Vista, which I trust is what most of you are using. CVTWIN is written in Microsoft Visual BASIC 6 and Microsoft claims that VB6 is compatible with Vista.

Support Statement for Visual Basic 6.0 on Windows® Vista™
http://msdn2.microsoft.com/en-us/vbrun/ms788708.aspx

I'm sure that this will be resolved eventually. If you know your way around Windows (and know how to establish a system restore point!) and are willing to be adventerous, then look at the following paragraphs about manual installation. If not, then cover your eyes and don't read any further.

Also, I updated the "Manual Installation" procedure
http://www.dshield.org/clients/cvtwinupdatesys.html

Normally you can forget about manual installation, because setup.exe handles all these gory details. But if you are having problems getting CVTWIN installed using the normal setup.exe, then you might want to try manual installation.

5/14/2007 2.0.0 Bumped the version number in honor of the DShield 2.0 site makeover. The functional change is that we now use a password for logging in, so the CVTWIN configuration dialog has a new field for Password.

For existing users, your password will be your DShield UserID number. When you log in, you can change it to whatever password you want. New users will be prompted to choose a password when they first register. Then their UserID number will be emailed to them, just like always. We still use the UserID for submissions so it is still in the CVTWIN Configuration.

One other change is that we changed all the filenames on the site from ".php" to ".html" So update any bookmarks you have.

One semi-major change is CVTWIN will now attempt to configure new installs to use %APPDATA% for all its configuration and temporary files. Previously, CVTWIN would use the directory that it is installed in (typically, C:\Program Files\cvtwin). But this doesn't work on Vista (and was frowned on for Win NT/2K/XP.) So.... the new logic is:

CVTWIN starts.

It looks for cvtwin.ini in the directory it is running (C:\Program Files) if it finds cvtwin.ini there it uses it and works like it always has.

If CVTWIN *doesn't* find cvtwin.ini, it now examines the system %APPDATA% environment variable. This typically points to

C:\Documents and Settings\{USER}\Application Data (NT/2K/XP)
C:\Users\{USER}\Appdata\roaming (Vista)

where '{USER}' is the user that is running CVTWIN. It will then create %APPDATA%\cvtwin and will then create a brand new cvtwin.ini and other misc. files in this directory. CVTWIN will create 'cvtwintemp.txt' in the program it is running in. The first line in cvtwintemp.txt contains the directory that CVTWIN will use for configuration files (cvtwin.ini, etc.) and for temporary files.

Once cvtwintemp.txt has been created, then cvtwin won't need to write to C:\Program Files\cvtwin any more. This should solve (most?) permissions and file access errors that currently prevent cvtwin from working with Vista. Hopefully. If you find addtional problems, please write to info@dshield.org.

Also updated the Kiwi D-Link DLG-4100 converter so it now converts log lines that were falsely rejected before. Thanks to Eric Esslinger for helping me with this.

11/6/2006 1.2.55 Fixed problem where some IPs were wrongly being rejected for being local IPs. Specifically, there wa an error in detecting the 172.16.0.0 - 172.31.255.255 range. Thanks Karl Prince for helping with this.

8/29/2006 1.2.54 Added new converter for DLink DGL-4100 router, with Kiwi Syslog Daemon. Thanks to Eric Esslinger for helping with this.

08/22/2006 1.2.53 Fixed a bug in the Routerlog converter that caused it to not get the correct target IP in newer Routerlog logs. Thanks to Jiri Hadamek for helping with this.

08/14/2006 1.2.52 Fixed autoconfiguration for Windows ICF firewall. Thanks to Tze-Meng Tan for helping with this.

08/08/2006 1.2.51 Updated Routerlog converter to work with newer version of Routerlog logs. Thanks to Jiri Hadamek for helping with this.

07/28/2006 1.2.50 Fixed a fatal error that I had introduced in "Writing to a different directory"

http://www.dshield.org/clients/cvtwinreference.html#cvtwintemp

Thanks to Gylver Wagnon for helping me with this.

05/13/2006 1.2.49 Updated/Fixed Kiwi WatchGuard SOHO 5 convert so it also works with Watchguard X15 firewalls. Thanks to Allen P. Hurnyak for helping with this.

04/06/2006 1.2.48 Updated McAfee 4 converter to support additional fields that are in newer versions of McAfee Firewall. A reminder that you need to manually export your McAfee logs. Thanks to Nicky Wood for helping with this.

02/16/2006 1.2.47 Added support for CVTWIN for the 3Com 3C857 router. Thanks to Rory Starkweather for helping with this.

01/17/2006 1.2.46 Updated ISS BlackIce converter to support ASN1_Constr_BitStr_Heap_Corruption types. Thanks to Scott Fendley for helping with this.

01/17/2006 1.2.45 Added support for Watchguard using Fireware Pro 8.0 (using Kiwi Syslog Daemon.) Thanks to Wayne Campbell for helping with this.

11/15/2005 1.2.44 Internal enhancements.

10/22/2005 1.2.43 Fixed error in Trend Micro Internet Security (AKA PC-Cillin) converter that was converting (presumably) ICMP lines with bogus type and code fields, instead of rejecting them. Thanks to Robert Denlinger for pointing this out.

10/19/2005 1.2.42 Added additional support for Linksys WRT54G and WRT54GS routers. You should read the docs for this at http://www.dshield.org/clients/linksys_wrt_kiwi_setup.html because you need to update the router's firmware first.

10/17/2005 1.2.41 Updated D-Link 704P/Gentek/Level One router converter to convert more valid lines. Thanks to Chuck Williams for helping with this.

Undid the date comparison change I made in 1.2.39, because it was correct before. Users of 1.2.39, 1.2.40 should upgrade to 1.2.41. Sorry.

9/29/2005 1.2.40 Updated PC-Cillin converter to also work with PC-Cillin 2006 log format. Thanks to Robert Denlinger for helpiing withs.

9/28/2005 1.2.39 Updated 8signs (and VisNetic/Ambra) firewall converter to recognize more valid log lines. Changed date comparision so it won't reject log lines that have a timestamp that is the same as the 'Last Saved Date/Time' Note that you need to manually configure the log file name for 8signs.

6/12/2005 1.2.38 Fixed a bug in the Kiwi Netscreen converter that caused it to not convert some destination ports.

5/27/2005 1.2.37 And updated the PC-cillin converter so it will actually convert PC-cillin 2005 logs. Thanks again to David Schwartz for helping me with this.

5/26/2005 1.2.36 Updated Trend Micro PC-cillin so it will auto-configure properly for 2005. (The year is part of the program's path....) Thanks to David Schwartz for helping me with this.

Changed the name of the converter from "PC-Cillin" to "PC-cillin" to reflect how Trend Micro capitalizes it. Both capitalizations should work.

5/21/2005 1.2.35 New converter for AVG Firewall. Thanks to Kenneth Coney for helping with this.

5/21/2005 1.2.34 Updated DLink DI 704P converter so it will process more valid log lines. Thanks to Chuck Williams for helping with this.

Added new converter for the Checkpoint VPN-1 Edge device. Thanks to John Cahill for helping with this.

5/3/2005 1.2.33 Updated Cisco converter to work with another variety of Cisco PIX logs. Because there are a *lot* of varieties of Cisco logs, there are several different Cisco converters. Thanks to Tim Tyndall and Felipe Neto for helping me with this.

Updated autoconfiguration for Tiny Firewall 6.5 and Sygate Firewall.

1/23/2005 1.2.32 Updated the Norton auto-configure logic to hopefully make it be more robust. And rewrote the live hints text for the Norton converters that you see in Edit/Configure dialog. You probably don't need to upgrade if cvtwin is already working. But this might be less confusing for new Norton users.

1/22/2005 1.2.31 Fixed Norton converter (for all versions from Norton 2003 to the present) where the remote IP was convert as the local IP in some circumstances. All Norton users should upgrade. Thanks to Jerry Lind for pointing the exact problem out so I could find it.

1/22/2005 1.2.30 Added a new converter for Norton Internet Security 2005. They changed things again.... The best way to configure this is to remove your existing C:\Program Files\cvtwin\cvtwin.ini file before installing this version, so that the first time this version of cvtwin runs, it will auto-configure for Norton Internet Security 2005. (CVTWIN only auto-configures if cvtwin.ini doesn't exist when it starts.)

Note that cvtwin.ini has your configuration information, so don't blindly delete the old version. It is better to copy it to someplace else. Then load it into Notepad to find your existing config info. If you have any questions or problems, write to info@dshield.org.

Also fixed the Norton converter so it passes more varieties of valid logs.

Thanks to Jerry Lind for helping with this.

1/18/2005 1.2.29 Fixed overly optimistic error checking in the program init routine, where it could crash with a "Runtime error, Input past end of file" error if one of the configuration files wasn't formatted the way it expected it to be. Now CVTWIN is properly suspicious. Trust but verify. Thanks to Marc Sachs for helping with this.

1/2/2005 1.2.28 Removed redundant logic from Microsoft ICF converter so it will run faster. Thanks to Andrew Colbeck for pointing this out.

1/2/2005 1.2.27 Fixed a bug in Microsoft ISA converter that caused it to crash with a "Subscript out of range" error. Thanks to Rolf Huisman for helping me solve this.

12/31/2004 1.2.26 Updated Microsoft ISA converter so that it now works with ISA Server 2004. Thanks to Rolf Huisman for helping with this.

Updated Windows ICF converter so it doesn't reject valid lines. Thanks to Andrew Colbeck for helping with this.

10/21/2004 1.2.25 Fixed a fatal bug with the Symanted VelociRaptor converter in that it was hanging when processing logs that uses LF (instead of CR/LF) as the line terminator.

Note that because VelociRaptor logs tend to be large, you might want to disable CVTWIN from creating the "status" file that lists each log line and how it was created. The "status" file is all well and good, but it is probably good to throw it over the side when processing log files that are many megabytes long. To disable the "status" file, edit cvtwin.ini from the 'Edit' menu and look for '# NoStatus=1' Uncomment this by removing the '# ' from the beginnin of the line.

10/14/2004 1.2.24 Updated conversion for Windows XP ICF firewall so that it excludes outgoing 'SEND' accesses. All users of ICF should upgrade. Thanks to Peter Groot for helping with this.

10/12/2004 1.2.23 Added a button to Edit/Configure so you can check to see if you are configured with the correct time. The button does the same thing as going to http://www.dshield.org/timestamp.html This will cause our server to access your machine with a single packet for the purpose of adding an entry to your log at a known (to us) time. Later, when we process your log, we will look for this line and will send you an email telling you if your log's timestamps are correct. If they are not, then please correct this, because it is very important that the timestamps are correct. Note that the time only needs to be correct within a minute or so. It will (probably) never match exact to the second because of propogation delays and other slop in the gears.

If you have any trouble with this, please write to info@dshield.org.

Updated the Sygate converter because it was not converting the log lines that were generated by the above timestamp test. (Even though it should have. This just exposed a latent conversion bug.) Thanks to Chris Salter for helping with this.

10/08/2004 1.2.22 Updated Kiwi Linksys converter so it works better with BEFSX41 logs.

Sigh. Updated Norton Personal Firewall (and Norton Internet Security) configuration to deal with the fact that some versions of Norton don't contain the logexprt.exe program that is used for automatic log exporting. Which means that these users must manually export their log each time. CVTWIN should now auto-configure appropriatly for each circumstance. If it doesn't, then write info@dshield.org. Thanks for Roger Branton for helping me figure this out.

We have been finding more logs have the time and/or time zone sent incorrectly then is desirable. This is not a good thing because it means that the "Fightback" abuse reports that we send aren't as reliable as they should be. *Please* review the information on how to set your system's time at http://www.dshield.org/windows_clients.html#time

9/24/2004 1.2.21 Added new converter for SMC SMC2804WBRP-G router using Kiwi Syslog Daemon. Thanks to Mark McIntyre for helping with this.

Fixed a bug in WindowsXP ICF converter in that it wasn't putting the time zone in the converted log. Thanks to Peter Groot for helping with this.

9/8/2004 1.2.20 Added new converter for the m0n0wall firewall using Kiwi Syslog Daemon.

8/2/2004 1.2.19 Fixed problem with "Login to DShield" button in 'Edit/Configure" not working because the old "http:/www.login.html" URL doesn't work anymore. Changed CVTWIN internal logic to use "https://secure.dshield.org/login.html"

7/30/2004 1.2.18 Updated date and time conversion logic for all versions of Kiwi Syslog Daemon. If this causes the date conversion to break, try CVTWIN 1.2.17 at http://www.dshield.org/clients/cvtwin_old.zip and report the problem to info@dshield.org so I can fix it. Please include a Kiwi log sample that demonstrates the problem (as an attachment.) To maximize the chances of Kiwi/CVTWIN working, please configure Kiwi as described at http://www.dshield.org/clients/kiwi_setup.html

Because more and more ISPs are blocking port 25 in an effort to throttle infected machines that have been taken over and being used to send SPAM (!) this breaks CVTWIN's send-the-converted-log-as-email-to-reports.dshield.org. As a workaround, we set up an alternate mail server that works on non-standard port port 81. To use this, configure SMTP in CVTWIN's Edit/Configure dialog to be 'aolmail.dshield.org' One side effect of doing this is that you won't be able to send a copy of the log to yourself.

7/27/2004 1.2.17 New converter for Watchguard SOHO 5, using Kiwi Syslog Daemon. This converter was written by Jens Cameron. Thanks!

Updated Kiwi Watchguard VClass Appliances converter after learning more information about the log format. Thanks to Christian Bischoff for researching this information and working with me so I understood it.

7/24/2004 1.2.16 Added new converter for Watchguard VClass Appliences, using Kiwi Syslog Daemon. (http://www.dshield.org/clients/kiwi_setup.html) Thanks to Christian Bischoff for helping with this.

7/22/2004 1.2.15 Fixed Tiny Firewall converter so it will work with multiple logs per day. Again, thanks to Matti Haack.

7/21/2004 1.2.14 Updated Tiny Firewall converter and autoconfiguration logic to work with Tiny Firewall Pro 6.0. Thanks to Matti Haack for helping with this.

7/15/2004 1.2.13 Improved the autoconfiguration for Norton Personal Firewall. But if it doesn't autoconfigure for you, please write to info@dshield.org. Thanks to James Suttling for helping with this. Helpful suggestions are from him. Any bugs are from me.

Improved the real time processing so the display should do a better job of updating itself when CVTWIN is doing something time consuming, like processing a very long log file. Thanks to Alan Maitland for helping with this.

7/13/2004 1.2.12 Fixed another bug in time conversion for Agnitum Outpost. Thanks to Ken Xennion for helping me with this.

Fixed a problem with converting some IP addresses in the Kiwi Cisco PIX convertehehelr. Thanks to Brian Weber for helping with this.

7/8/2004 1.2.11 Fixed bug in Kiwi Buffalo converter in that it wasn't putting a space between the time and the time zone. All Kiwi Buffalo users should upgrade. Thanks to Bob Brown for helping with this.

7/8/2004 1.2.10 Fixed bug in Kiwi Linksys converter where a lack of bounds testing can cause a "RUNTIME Error 9 (Subscript out of range)' error. This could have bit you if you were using the 'Kiwi Syslog Daemon (All formats)' converter, because it tries all the converters until one converts with no errors. Thanks to Shawn Cox for helping me with this.

7/7/2004 1.2.9 Fixed bugs in Agnitum Outpost converter where it was failing with a 'run-time error '9' Subscript out of Range.' error. Also needed tuning up to convert more kinds of valid lines properly. Thanks to Ken Xennion for helping me with this.

Updated McAfee 4 converter to fix some issues. Thanks to Chuo104 for helping with this.

Trend Micro PC-Cillin has been renamed to be Trend Micro 'Internet Security.' There are some changes in the log format and in the location where it is installed. Updated to accomodate these changes. (Both 'PC-Cillin' and 'Trend Micro Internet Security' use the same converter--the only difference now is how CVTWIN auto-configures.) Thanks to Paul Michaelson for helping with this.

Added Edit/Configure information for Kiwi Sonicwall (because the Kiwi documentation leads you astray.) Thanks to Carol Maffitt for working with me to figure this out.

6/6/2004 1.2.8 Updated Kiwi Fortigate-50 converter so that it works with more valid types of logs. Thanks to Helen Ward for helping with this.

Changed Tiny 5.0 converter to use local time instead of UTC, because this is the way that Tiny 5.0 logs the time zone now. Please double check to see that the time zone is correct in the converted log. If it isn't, then write to info@dshield.org. And use the "ForceTZ" variable in cvtwin.ini to temporarily set the time zone that CVTWIN will use.

5/10/2004 1.2.7 Added new converter for Fortigate-50 router, using Kiwi Syslog Daemon. http://www.dshield.org/clients/kiwi_setup.html Thanks to Helen Ward for helping with this.

5/4/2004 1.2.6 Updated Kiwi Netopia converter to support more valid log lines. Thanks to Christopher G. Lewis for helping with this.

4/28/2004 1.2.5 A change I made somewhere after 1.2.1 made CVTWIN reluctant to exit. Even when it looked like it had exited, it was still in memory and was visible in the Task Scheduler. I undid the change that caused the problem. All users of versions greater than 1.2.0 should upgrade. Or at least check your Task Scheduler to see if CVTWIN is exiting properly.

4/28/2004 1.2.4 Added new converter for Bintec router, using Kiwi Syslog Daemon (http://www.dshield.org/clients/kiwi_setup.html) Thanks to Marc Böing for helping with this.

4/25/2004 1.2.3 Updated D-Link 704P converter so it also works with Level One WBR 3404 TX router. (It works with some Gentek routers, also.) Thanks to Axel Grewe for helping with this.

4/14/2004 1.2.2 New converter for Buffalo WBR-G54 router using Kiwi Syslog Daemon. Thanks to Jake Colbeck for helping with this.

4/8/2004 1.2.1 New converter for D-Link DI-604 routers that can't send the logs with syslog (so you can use Kiwi Syslog Daemon.) This is generally the USA version. Non-US versions should be able to use syslog/Kiwi.

To use this "D-Link Router (Manual export from email)" converter, configure your router to mail the log to yourself. Save the log to a disk file. Then configure CVTWIN to convert this disk file. Thanks to Joseph Stahley 3rd for helping with this.

I also worked on the date conversion logic for the Norton Firewall 2003, because the new D-Link DI-604 converter shares some of its code. *Hopefully* the Norton 2003 converter is a little bit more robust. If not.... info@dshield.org

4/7/2004 1.2.0 More work in the Kiwi Cisco Pix converter after another suggestion from Chris Kinsler. It now converts another form of ICMP logs that it was missing. Also, I noticed that some of the Cisco PIX logic I added in 1.1.99 left a lot to be desired, so I fixed it.

4/7/2004 1.1.99 Improved the Kiwi Cisco PIX converter so that it now converts log lines that contain NTP accesses. Thanks to Chris Kinsler for helping with this.

3/27/2004 1.1.98 Added a new variable so that you can have CVTWIN use the 24 hour clock for its own log timestamp (File/View CVTWIN log) Add

LogTime=24

to cvtwin.ini. Otherwise, CVTWIN will use the 12 hour AM/PM timestamp it always has. This feature was added because of some gentle persuasion from Morten Due Jorgensen.

3/27/2004 1.1.97 Made the new Kiwi/Linksys RV082 converter be more robust.

3/26/2004 1.1.96 Updated Kiwi Linksys converter so that it now supports the RV082 router. Thanks to John Holmblad for helping with this.

3/21/2004 1.1.95 Fixed a bug that caused "Run-time error '6": overflow error". This was a logic bug in the port validation routine and could happen with any converter. It is probably a good idea to update. Thanks to Frank Wood for helping with this.

Tightened up the logic for initializing the IP filters. Thanks to Peter Groot for helping with this.

3/10/2004 1.1.94 Added a new converter for the D-Link DI-604 router. Thanks to Jan Roxbergh for helping with this.

3/6/2004 1.1.93 Fixed a bug where attempting to convert Kerio 4 (and probably others) caused CVTWIN to crash with a fatal 'overflow' error. There was a bug in a diagnostic routine I recently added. Adding diagnostics increases the odds of making bugs. What can I say? Thanks to Guy Boccovi for helping me with this.

3/6/2004 1.1.92 More fixes for the Norton Firewall Converter. The previous changes left some very confusing error message. Improved the error messages and (hopefully) improved the converter so that it can convert more log lines. More Peter Groot debugging.

3/5/2004 1.1.91 Another tweak to the Norton Firewall converter so that it detects more valid local IPs. Thanks to Peter Groot for pointing this condition out.

3/4/2004 1.1.90 Relaxed the 1.1.89 restrictions somewhat. The problem is that Norton Firewall logs don't have a destination IP for a lot of log lines. In the past CVTWIN has been using the IP that Winsock returns as the local IP that is assigned to the machine. I recently realized (thanks to Peter Groot) that this method is inaccurate if the user uses a dialup connection to the Internet in addition to Ethernet (which may be used for local LAN connections.) There are then several TCP connections and the one that Winsock returns as the local IP isn't necessarily the IP that has been used for Internet connections.

So, I've been looking at various methods of extrapolating from the Last Known Good Local IP that was in the log. I added a new method for when I think the IP was used for the Internet connection, but I'm not sure if it was in effect for a particular log line (that is missing a local IP) In this case, it will use the Last Known Good local IP, but will obfuscate the IP by changing the first portion to be "10." Thanks again to Peter Groot for helping me work through this.

2/29/2004 1.1.89 Tightened up the logic for Norton Firewall converter. Now, if the destination IP isn't explicitly in a log line, the log line will be rejected. Before, it would use the IP that Windows has assigned to the machine. This isn't accurate in some circumstances. Norton Firewall users should upgrade. Thanks to Peter Groot for helping with this.

2/27/2004 1.1.88 New Kiwi Syslog Daemon Snort converter. Thanks to Brad Corey for helping with this.

2/22/2004 1.1.87 Many small fixes (and one big one.) Enhanced conversion rejection messages to better explain why the log was rejected. Added previously undocumented variables to the default cvtwin.ini that is written the first time that CVTWIN is run (or any time that 'cvtwin.ini' doesn't exist.) http://www.dshield.org/clients/cvtwinreference.html#cvtwinini

The big fix was realizing that the Black Ice converter had been broken for a while, because an optmization I did a while back caused converted logs from port scanned logs add a new tab before the flags for each new line, so converted lines ended up with way too many tabs. Ugh. Fixed now.

New bonus feature: Will optionally also convert your log to ZoneAlarm format so that you can use one of the third party ZoneAlarm log analyzers. See http://www.dshield.org/clients/cvtwinreference.html#alsozonealarm for explanation.

2/21/2004 1.1.86 Upgraded auto-configuration to better handle localization issues. Again, CVTWIN is supposed to auto-configure itself for the firewall/router that you are using when it first runs.

If CVTWIN fails to auto-configure for a firewall/router that it otherwise supports, please write to info@dshield.org so that we can fix this. Please tell us the drive/directory/logfilename.ext that your firewall/router defaults to write the log file. Or the location of some other file (ProgramName.exe) that will be there when the firewall/router is installed and logging. Auto-configuring is a good thing.

Updated CVTWIN documentation file to cover some new features that have been otherwise undocumented. http://www.dshield.org/clients/cvtwinreference.html (If CVTWIN auto-configured properly, you probably could live a long and prosperous life without going anywhere near http://www.dshield.org/clients/cvtwinreference.html)

2/19/2004 1.1.85 Fixed several serious bugs in the Agnitum converter. All users should upgrade. Thanks again to John Ridd for helping me shake these bugs out.

2/18/2004 1.1.84 Improved the logic for the Agnitum Outpost converter.

2/18/2004 1.1.83 Updated Agnitum Outpost converter to work with a new method for exporting logs. See http://www.dshield.org/clients/cvtwinfirewalls.html#agnitum_outpost for details. Thanks to John Ridd for this.

2/9/2004 1.1.82 Improved the error handling logic for the Kiwi (All formats) converter.

2/6/2004 1.1.81 I realized that parts of the 1.1.80 Kiwi Netscreen fix were ill advised. There was a "logic malfunction." It was an accident, honest. Kiwi NetScreen users should dump 1.1.80 and use this version.

2/6/2004 1.1.80 Fixed Kiwi Netscreen converter so that it works with more valid log lines. All Kiwi Netscreen users should upgrade to this version. Thanks to Craig Willcocks for helping with this.

2/5/2004 1.1.79 Fixed bugs reported in Tiny Personal Firewall 5.0 converter. TPF5 users should upgrade to this version.

Updated Kiwi Netgear converter to convert more valid log types. Thanks to Bill Powell for helping with this.

2/4/2004 1.1.78 Added new converter for Tiny Personal Firewall 5.0.

2/4/2004 1.1.77 Improved autoconfiguration logic. If cvtwin isn't detecting your firewall (or router), please write to info@dshield.org so I can fix this. I need to know the location where CVTWIN should expect the log file to be. (Drive + Path + Filename.exe)

Added new 'ForceTZ' variable in cvtwin.ini. Use this if the time zone offset that CVTWIN is putting in the converted log isn't correct. CAUTION! Only use this if you completly understand this. We really need the time zone offset to be correct in the logs that we enter into out database. Very few people should need to use 'ForceTZ'

Usage: Edit cvtwin.ini and add

ForceTZ=+00:00

or whatever TZ you want to force CVTWIN to use. Make sure to track daylight savings time if needed.

1/25/2004 1.1.76 Fixed a bug in the Agnitum Outpost converter. All Agnitum Outpost users should upgrade. Thanks to Keith D. Shimizu for reporting this.

1/25/2004 1.1.75 Added new 'MailProg' variable to cvtwin.ini that lets you specify an alternate mail program. In case you can't get CVTWIN's normal mail to work. See http://www.dshield.org/clients/cvtwinsndmail.html#mailprog for details

Updated sndmail.dll used for sending email to sndmail 2.4

1/16/2004 1.1.74 Added new converter for Agnitum Outpost. Thanks to Xavier Forest for helping with this.

1/12/2004 1.1.73 Fixed bug in the log file selection dialog where choosing to display "All Files (*.*)" wasn't working. Thanks to Michael Szirtes for telling me about this.

Added StatusLine variable to cvtwin.ini to enlarge the status line area. You only need to set this if you use a large system font and the Status Line isn't displaying correctly. Add 'StatusLine=200' to cvtwin.ini. The larger the number, the bigger the status line area.

1/6/2004 1.1.72 Made new AnalogX PortBlocker converter code be less fragile. Trust, but verify.

1/6/2004 1.1.71 Added new converter for AnalogX PortBlocker. Thanks to Jody Bruchon for helping with this.

12/30/2003 1.1.70 Updated Routerlog converter so it works with U.S. Robotics USR8000 logs. Thanks to Mark McIntyre for helping with this.

12/29/2003 1.1.69 Added new converter for Billion router using Kiwi Syslog Daemon. See http://www.dshield.org/clients/kiwi_setup.html for info on getting and configuring Kiwi. Thanks to Peter Richards for helping with this.

12/18/2003 1.1.68 Updated Kiwi Sonicwall converter to accept more valid types of logs. Thanks to Sean Weintz for helping with this.

12/15/2003 1.1.67 Fixed Kiwi XyXEL converter so it converts more valid log lines. Thanks to Ed van Balen for helping with this.

12/10/2003 1.1.66 Updated 'McAfee 4' converter (used for McAfee 4 and later) to accept more valid types of log lines. Thanks to Steve Foster for helping with this.

12/03/2003 1.1.65 Made more space for the bottom "Status" line because it was invisible for some combinations of resizing and/or "reskinning."

Made "Rejected: ...." messages for Sygate converter be more informative.

11/22/2003 1.1.64 Improved error handling for McAfee 4 converter. Also rewrote some general code that affects all converters to tighten up some validity checks and be a bit less wasteful with processing resources. I'm *sure* I didn't break any converters.

11/21/2003 1.1.63 Upgraded the McAfee 4 (and 5) converter so that it handles more more types of valid log lines. Thanks to Steve Foster for helping me with this.

The InstaGate converter wasn't putting the time zone offset as part of the timestamp in the converted log. Fixed. (This isn't really needed, because the TZ offset is on the subject line, but it makes for more accuracy when the TZ offset changes in the middle of a log. i.e., when daylight savings time toggles.)

11/19/2003 1.1.62 Added new converter for eSoft Instagate firewall. Thanks to Tom Flanagan for helping with this.

Fixed a longstanding bug in that logs converted from Black Ice had leading spaces on some of the fields of the converted log. This doesn't affect the validity of the logs--the extra spaces just made the converted logs be a bit larger than they need to be.

11/14/2003 1.1.61 Tweaked the user interface in the Edit / Configure dialog. Added more content to its 'hints' information box.

11/11/2003 1.1.60 Updated Sygate converter so that it can convert more varieties of date and time formatting.

11/10/2003 1.1.59 Added new "Norton Personal Firewall (logexprt.exe)" converter for users of Norton Firewall (and Internet Security) 2003 (and later) This converter will use Norton's logexprt.ext to preprocess the log so that you don't need to do the manual export. Thanks to Dr. Mehmet Yusuf for helping me (a lot) with this.

11/9/2003 1.1.58 Added hints box to the Edit Configure dialog box. To answer some of the 'gotcha' type questions that seem to keep coming up.

11/5/2003 1.1.57 Updated Sygate Firewall converter so that it will work with the log at the new version of Sygate writes. Thanks to Dean Cohen for helping with this.

11/3/2003 1.1.56 Improved error handling in Kiwi Sonicwall converter.

11/2/2003 1.1.55 Made validity checking in BlackIce converter more robust to prevent CVTWIN from crashing with a runtime error when it attempts to process log lines that have an invalid port scan range. Thanks to Clive Lynes for helping with this.

Made date conversion routine in Norton 2003 converter be more robust so it can deal with dates like '01-Nov-03' You still need to set the Regional Setting variables in cvtwin.ini as documented in http://www.dshield.org/clients/cvtwinreference.html#trouble_date_conversion Thanks to Gerald Keindel for helping with this.

10/31/2003 1.1.54 Added new converter for Kerio version 4. Convert the Kerio "network.log" Thanks to Peter Holm for helping with this.

10/31/2003 1.1.53 Updated Kiwi Sonicwall converter so it accepts more valid logs lines (that it was rejecting) FWIW, the Kiwi Sonicwall converter also works for some (all?) models of the 3Com OfficeConnect Internet Firewall. Thanks to Matthias Grunig for helping with this.

10/30/2003 1.1.52 Updated Norton 2003 converter so it converts more valid lines.

10/27/2003 1.1.51 New converter for Zyxel router using Kiwi Syslog Daemon. Thanks to Andreas Bischoff for helping with this.

10/27/2003 1.1.50 New converter for Symantec VelociRaptor. Thanks to John Beck for helping with this.

10/27/2003 1.1.49 Updated the Kiwi Sonicwall converter so it can convert more types of valid logs. Thanks to Bob Bradfield for helping with this.

10/21/2003 1.1.48 Fixed Kiwi Syslog Daemon Linksys BEFSX41 converter so it works with newer versions of the logs. Also restored "Kiwi Syslog Daemon (Linksys)" configure menu option that I deleted somehow. Thanks to Peter Stendahl-Juvonen for helping with this.

10/16/2003 1.1.47 Added new Kiwi D-Link DFL-80 converter. Thanks to Troy Lister for helping with this.

10/14/2003 1.1.46 Fixed a bug in a function that tests if an IP address is valid that sometimes caused a runtime error when testing a string that was not an IP. This *could* cause a runtime error for any converter, if you are unlucky. Thanks to Rich Popson for helping with this.

10/8/2003 1.1.45 Fixed bug in Kiwi Watchguard converter where it was failing with a runtime error when it hit certain types of logs. Thanks to Nickie Westbrook for helping with this.

10/1/2003 1.1.44 Updated support for Visnetics (and 8Signs) firewall so that it detects more valid logs. Thanks to Fernando Vinan-Cano for helping with this.

9/21/2003 1.1.43 Updated Kiwi Netgear to better support the FVS318. Thanks to Patrick Nolan for helping me with this.

9/18/2003 1.1.42 Updated Kiwi Netgear router converter to support more routers.

9/13/2003 1.1.41 Arrgh. Fixed fatal date conversion bug in most Kiwi converters. When I added the Kiwi Sonicwall converter in version 1.1 38, I "improved" the date converter such that it worked for Sonicwall but didn't work for a lot of other Kiwi converters. Fixed now. Thanks to Pierre Baudet for calling this to my attention.

9/12/2003 1.1.40 Added new converter for McAfee Personal Firewall Version 4. See http://www.dshield.org/clients/cvtwinfirewalls.html#mcafee Thanks to David W. Haapala for helping with this.

Important note for McAfee users. Because it turned out the version of McAfee Firewall that I wrote the "McAfee (Current" converter for didn't remain the most current version forever (much to my surprise), I had to rename this option. If you previously selected "McAfee (Current)" you now must select "McAfee Version 3" Users of McAfee version 4 must select "McAfee Version 4" I promise to never tag any given version as "(Current)" again.

9/12/2003 1.1.39 Added new converter for Windows Snort Alert.ids log. Thanks to Timothy P. Kroeger for helping with this.

Tightened up the requirements for ICMP logs. Now CVTWIN will reject them if they don't have type and code.

9/11/2003 1.1.38 Added new Sonicwall converter for logs collected with Kiwi Syslog Daemon. See http://www.dshield.org/clients/kiwi_setup.html for info on getting and configuring Kiwi. Thanks to John Johnston for helping with this.

9/8/2003 1.1.37 Updated Linksys Logviewer to deal with the different way it now formats the date. You need this update if you are getting date conversion errors. Thanks to Chuck Bass for helping with this.

Also, I forgot to actually change the version number that shows up in "Help/About" for several updates. I remembered this time.

9/8/2003 1.1.36 Updated Winroute Pro converter for Winroute Pro version 5. You must slect "Winroute Pro 5" as the converter. Thanks to Bernhard Cygan for helping with this.

9/4/2003 1.1.35 Updated PC-Cillin so it supports "|" as a field delimiter, in addition to the old "," delimiter.

8/26/2003 1.1.34 Added new converters for Deerfield Wingate and for Netopia router using Kiwi Syslog Daemon. Thanks to Russell Tyler and Alan Frayer for helping with this.

Fixed auto-configure for German Microsoft ISA firewall. Thanks to Reiner Saddey for helping me unsnarl this.

8/14/2003 1.1.33 Added new Kiwi SMC converter. It was written for the SMC2404WBR wireless router but may work for other SMC routers. Try it. Thanks to Bob Brown for helping with this.

7/26/2003 1.1.32 Added new Kiwi Netscreen converter. As always, configure Kiwi as is described at http://www.dshield.org/clients/kiwi_setup.html Thanks to John Baptista for helping with this.

5/2/2003 1.1.31 Updated Kiwi Netgear converter to support more valid log formats. Thanks to John McCarthy for helping with this.

Updated Kerio 3 Converter to support more valid log formats. Thanks to Richard Horton for helping with this.

4/27/2003 1.1.30 Added support for Gentek routers. Thanks to Rod Carty for helping with this.

4/22/2003 1.1.29 Updated Kiwi Linksys converter to also support BEFSX41 type logs. Thanks to Marcelo Gallardo for helping with this.

4/15/2003 1.1.28 Updated Kiwi IPTables (AKA Smoothwall) so that it now works with Snapgear Lite firewall. Thanks to Bill Dunshie for helping with this.

4/11/2003 1.1.27 Updated Kiwi Linksys converter to work with more varieties of Linksys router logs.

4/4/2003 1.1.26 Updated Kiwi Syslog Daemon converter for Netgear so that it now converts Netgear FVS318. Thanks to Mark Vincett for helping with this.

4/3/2003 1.1.25 Updated Kiwi Syslog Daemon converter for Linksys routers to work with v. 7.0.3 of Kiwi. It is possible that other Kiwi converters will need similar updating. If so, then please send sample logs to info@dshield.org so I can update it. After first configuring Kiwi using the instructions on http://www.dshield.org/clients/kiwi_setup.html

Thanks to Chris Cole for helping with this.

3/27/2003 1.1.24 Kiwi Cisco PIX converter wasn't paying attention to regional variables in cvtwin.ini that are used to specify non-standard (for me) order of MM-DD-YY in the dates in the log lines. Now it does.

Fixed spelling error in Linksys SNMP Trapper converter. I had it as 'SMNP Trapper'. (Reversed 'N' and 'M'.) Meaning that SNMP Trapper users need to re-specify this in Edit/Config. Sorry.

3/18/2003 1.1.23 Updated RouterLog converter so that it will retrieve the IP that is assigned to the router. This will be used as the local IP so that the logs you submit will contain a routable IP and not a local non-routable IP. You need the new version of RouterLog that allows you to save this "WAN-IP:" in the logs. Check the Routerlog page (http://homepage.ntlworld.com/nitech/routerlog/)

Thanks to Norbert Desautels for implementing this feature in Routerlog, and for John Duksta for getting us together on this.

3/18/2003 1.1.22 Updated Kiwi Cisco PIX converter to convert more kinds of valid lines. Updated RouterLog converter for the same reason.

3/14/2003 1.1.21 Updated the Linksys LogViewer converter so it now supports the BEFSX41 router family.

Updated the new Kiwi Netgear converter so that it supports more types of logs.

If you had tried CVTWIN before with your Linksys or Netgear router and it didn't convert, try this new version. If it still doesn't convert, then contact info@dshield.org.

3/12/2003 1.1.20 New converter for Netgear router using Kiwi Syslog Daemon. See the docs for getting and setting up Kiwi: http://www.dshield.org/clients/kiwi_setup.html Thanks to John Dalton for helping with this.

3/10/2003 1.1.19 More work on making Norton 2003 converter work with with logexprt.exe so that you can put it on the task scheduler. If you use either Norton Firewall 2003 or Norton Internet Security 2003, install this update and run cvtwin. Set the converter to 'Norton Personal Firewall 2003" Now examine

c:\Program Files\Cvtwin\ConvertNorton.bat

This batch file will first run logexprt.exe to export the log file to a format that cvtwin can deal with. Then the batch file runs cvtwin with the -noui option so that cvtwin will run silently. Look the batch file over and see if it looks OK. Then run it to see how it worked. If it worked, then you can put ConvertNorton.bat on the Task Scheduler. If not, then write to info@dshield.org and explain what is going wrong.

Hint: debug this by decomposing the batch file. First run logexprt.exe by itself and verify that it creates the log file. (Note that you have to be in the directory that Norton is installed in to run logexprt.exe. But then you have to be in the directory that cvtwin is installed in to run cvtwin. Hence, all the drive and directory changing in the batch file.) Then run cvtwin interactively to see that it converts the log file.

3/10/2003 1.1.18 Bug fix for the Norton converter. I missed that the time was in AM/PM format. Now CVTWIN detects this and converts the time to 24 hour format.

3/9/2003 1.1.17 Updated Norton converter to support logexprt.exe, so that you can automate exporting logs. So that you can put CVTWIN on the Task Scheduler. See logexprt.txt for information on how to use logexprt.exe. Thanks to Kevin Stadler for helping with this.

3/4/2003 1.1.16 Extended BlackIce converter so that it converts more valid logs.

Updated Linksys SNMPTrap Watcher converter so that it converts logs from the latest version of SMNP Trap Watcher. Thanks to Gilles Gravier for helping with this.

2/28/2003 1.1.15 Fixed a bug with the Norton 2003 in that it wasn't converting all the log lines it should have.

2/27/2003 1.1.14 Fixed a bug that caused CVTWIN to fail with "Runtime Error '6' Overflow" when there are more than 32K lines in your log. Thanks to Deb Hale for helping me debug this.

2/24/2003 1.1.13 Changed all DShield URL references from (whatever).html to (whatever).html. Because this is the way we are now.

Fixed a bug I created when trying to fix something else, where the status file was suppressed when there were 0 lines converted. Which made it difficult to debug conversion problems, didn't it now? Sorry. Fixed now.

2/22/2003 1.1.12 Fixed Visnetics/Ambra converter so it works with the logs that the current version writes. Thanks to Martin Barrowcliff for helping with this.

2/20/2003 1.1.11 Fixed a problem with the converters that handle multiple logs (Microsoft ISA, PC-Cillin, and Tiny 4.0) where it would stop with an error message if there were no logs in the date window that CVTWIN is looking at. It should have just produced 0 lines converted, with no error message. Now it does.

2/19/2003 1.1.10 Updated Norton Personal Firewall 2003 converter so it converts more valid logs. Thanks to Elton Jonsson for helping with this.

CVTWIN will only process log lines from the present to 5 days in the past. The previous limit was 32 days in the past. Our server now processes much faster, but this works best if the logs that are submitted aren't too large. BTW, you now should submit hourly.

2/17/2003 1.1.9 Update to Clavister converter to improve the conversion accuracy.

2/17/2003 1.1.8 Added support for Clavister Firewall, logged with Kiwi Syslog Daemon. Follow the instructions for configuring Kiwi at http://www.dshield.org/clients/kiwi_setup.html Thanks to Patrik Forsberg for helping with this.

2/16/2002 1.1.7 Change to BlackIce converter so that it passes more logs for older versions of BlackIce. Previously, the converter was more restrictive than was needed in rejecting logs where the protocol couldn't be explicitly determined. Now, it will pass them with Protocol set to "???". Thanks to David Lawless for helping with this.

2/14/2003 1.1.6 New converter for Smoothwall 2.0 with Kiwi Syslog Daemon. BTW, the original Kiwi Smoothwall was ipchains, Smoothwall 2.0 is iptables, so these converters should work with any ipchains or iptables logs that are logged to Kiwi.
See http://www.dshield.org/clients/kiwi_setup.html for information on setting up Kiwi.

Thanks to Hugh Larkin for helping with this.

2/12/2003 1.1.5 Added capability of suppressing the "Status" file for people who are converting large log files and don't want the overhead of the Status file being created. To suppress the Status file, add

NoStatus = "1"

to your C:\Program Files\Cvtwin\cvtwin.ini file.

2/4/2003 1.1.4 Added new Kiwi DLink DI-704P converter. This might work for other routers that work with Routerlog. Please let me know if it does, so I can update the docs. Thanks to Chuck Schneider for helping with this.

2/3/2003 1.1.3 Changed Microsoft ISA converter so that it now will calculate the log file names automatically in the same manner as the Tiny 4.0 and PC-Cillin converters do. It will work with IPPEXTDyyyymmdd.log format logs, as documented on http://www.dshield.org/clients/isa_setup.html

See the discussions of Tiny 4.0 and PC-Cillin, below, to see how it works. In particular, read about "dummy.txt" in the 12/17/2002 entry. The ISA converter works the same.

Also added auto-configure for new ISA users.

Thanks to Lasse Ingwersen, John R. Davis, and Dave Field for helping with this.

12/21/2002 1.1.2 Added "unflush" routine for accessing Windows XP ICF firewall, to hopefully solve file access errors.

12/18/2002 1.1.1 Better treatment of log file display for Tiny 4.0 and PC-Cillin in the summary and File/View Log File. CVTWIN will now correctly report on the log files that it actually processed and shouldn't be snookered by reporting on the dummy placeholder log file that is established in Edit/Configure. A placeholder file is still required, but CVTWIN will no longer report that this is the log file that it processed.

Added auto-configuration for new users for Tiny 4.0 and PC-Cillin. If they are installed in the default locations, CVTWIN will recognize them and will create the required dummy placeholder file. (It will do auto-configuration if C:\Program Files\cvtwin\cvtwin.ini doesn't exist when the program runs. It won't auto-configure if cvtwin.ini already exists.)

12/17/2002 1.0.99 More optimizations for Tiny 4.0 converter. Now it pre-filters the log files before doing the DShield conversion, so you won't see the complete logs in the "status" file that is displayed immediatly after conversion; you will only see the log lines that contain packet log information.

I also found that some of the XML log files contain random binary junk after the end of the XML proper, so I added additional logic to stop processing after finding the </Root> tag that indicates the end of the XML document.

Still haven't solved the problem noted in v. 1.0.98. Use the workaround for now. I need to change a lot of things in CVTWIN to solve this properly.

12/17/2002 1.0.98 Improved the processing speed of the Tiny 4.0 converter. And realized a problem with the Tiny converter....

CVTWIN requires you to establish a log file in Edit/Configure. But TPF 4.0 creates a new log file for each day and (by default) removes log files that are older than 7 days. The problem will come when the file that you configured CVTWIN to look at is removed by TPF. The workaround (until I come up with a better fix) is for you to create a dummy file in C:\Program Files\Tpf4\log\ and tell CVTWIN that this is the log file.

Example, create (with Notepad, for want of anything better) C:\Program Files\Tpf4\log\dummy.txt and configure CVTWIN to use this. CVTWIN will not attempt to process dummy.txt--for TPF 4.0, it only uses this to locate the directory that the log files are in. It derives the actual filenames from dates.

I'll come up with a better solution after I rethink the problem. Keep checking back.

12/16/2002 1.0.97 Updated Tiny 4.0 converter to run faster. Changed the behavior of "File/View Log File" so it has better error checking.

12/16/2002 1.0.96 Updated PC-Cillin converter so that it works like the new Tiny 4.0 one. Now you don't need to change the log file name for every day. Once you set a log file, CVTWIN will loop through the directory and calculate the file names based on the date. You can now put CVTWIN on the Task Scheduler.

12/16/2002 1.0.95 Fixed a bug in the Tiny 4.0 converter in that it wasn't going backwards far enough, so it would miss converting unprocessed log lines from the previous day. Tiny 4.0 users should update.

12/15/2002 1.0.94 Added new "Tiny Personal Firewall 4.0" converter. Note that this is for the new Tiny v. 4.0. Users of earlier versions should use the "Tiny Personal Firewall" converter.

Tiny 4.0 saves logs in individual files, one per day. When you do your first conversion, the Tiny 4.0 converter will attempt to process all the logs in the directory. This can be time consuming. You can limit the number of logs that it will convert by entering a timestamp that is several days back in the "Last Saved Date/Time" field in Edit/Configuration. Example: enter "2002-12-11 00:00:00" to limit it to only converting the last few days.

You must select a log file in Edit/Configure. But the Tiny 4.0 converter only uses the path information. Once you have selected a log file you don't have to go back and reselect a different log file for each day. CVTWIN calculate the log file names by working backwords from today's date. Meaning that once you have it configured and working, then you should be able to put CVTWIN on the Windows Task Scheduler. (http://www.dshield.org/clients/schedule_client.html)

Thanks to Bruce Moore for helping with this.

11/24/2002 1.0.93 Added new "Kiwi Syslog Daemon (All formats)" converter that attempts to convert using all the Kiwi converters. You would use this if you use Kiwi to log from multiple different firewalls/routers. For each log line, it tries all the Kiwi converters and accepts the first conversion that returns success.

If you don't use Kiwi to log from multiple different firewalls/routers, then you should continue to use the named Kiwi converters. They are quicker, are less likely to have conversion problems, and have better conversion error reporting.

I went though all the Kiwi converters and tightened up conversion logic for some of them so that they are less naive about formating assumptions.

11/23/2002 1.0.92 Modified Kiwi Linksys converter so that it also works with

"Kiwi format ISO yyyy-mm-dd (Tab Delimited)" log format

so that it is in sync with the other Kiwi converters.

11/23/2002 1.0.91 Worked on Cisco ACL (IOS) converter so that it should now work with Kiwi Syslog Daemon, if you use the

"Kiwi format ISO yyyy-mm-dd (Tab Delimited)" log format

Also fixed a bug in the date conversion. All Cisco ACL (IOS) users should upgrade.

11/22/2002 1.0.90 Added new converter for D-Link DI-804V and Asanté FriendlyNet VR2004AC, VR2004C routers using Kiwi Syslog Daemon. Configure Kiwi to use

"Kiwi format ISO yyyy-mm-dd (Tab Delimited)" log format

11/22/2002 1.0.89 Added new converter for Cisco ACL (IOS) logs. It converts logs that are formatted like

Nov 21 10:45:36 EST: %SEC-6-IPACCESSLOGP: list 101 denied udp SSS.SSS.SSS.SSS(1031) -> DDD.DDD.DDD.DDD(137), 1 packet

Where "SSS.SSS.SSS.SSS" and "DDD.DDD.DDD.DDD" are source and local IPs.

11/13/2002 1.0.88 Improved logic in Kiwi Smoothwall converter. It is a bit more defensive now about file format assumptions.

11/11/2002 1.0.87 Added Kiwi Syslog Daemon Smoothwall converter. Open a shell into your Smoothwall and add

kern.info (tabs) @192.168.1.xxx

to /etc/syslog.conf (192.168.1.xxx is the IP address of the machine running Kiwi.) Restart Smoothwall. Start Kiwi. Configure it to use "Kiwi format ISO yyyy-mm-dd (Tab Delimited)" log format (the default.) Thanks to Paul Doig for helping with this.

11/8/2002 1.0.86 Fixed a bug with the Microsoft ISA converter. It was using your system's time zone in the converted logs. This is wrong, because all ISA logs are already in GMT time, so it now uses +00:00 as the TZ offset in the converted log. All ISA users should upgrade to this version. Thanks again to John Normon for catching this.

11/5/2002 1.0.85 Added new converter for Microsoft ISA, W3C Extended log format. Using the yyyymmdd date format. All fields except for "Header" and "Payload" (There are several ways to format ISA logs--we support this format.) Thanks to John Norman for helping with this.

11/4/2002 1.0.84 Updated Kiwi Cisco PIX converter to handle a wider variety of log lines. Thanks to Seymour Brown for helping with this.

11/4/2002 1.0.83 Added cvtwin.ini variable sndmailParms so that you can define additional parameters to pass to sndmail.dll when sending mail. Most people can ignore this, but it is needed if your SMTP server requires user authorization. See http://www.dshield.org/clients/cvtwinsndmail.html for more information.

11/1/2002 1.0.82 Improved (IMO) logic for logfile configuration "Browse" dialog box. If "logfile" is already set to an existing file, the "Browse" button now opens pointing to this drive/directory/file. Before, it opened in the directory that the program was running in, which probably doesn't contain any log file. This isn't a big deal for people who only have to set the log file once, but was a headache for people who must set the log file each time they run CVTWIN.

10/30/2002 1.0.81 Updated Linksys SMNP Trap Watcher converter so it works with the newer format. Also changed the name of the converter from "Linksys" to "Linksys SMNP Trap Watcher" so existing Linksys SMNP Trap Watcher users must change that in the Edit/Configure Dialog.

Also changed SMNP Trap Watcher converter so it now includes your Time Zone in the converted log (which it should have all along.) This might affect conversions for existing SMNP Trap Watcher users, because this also affects the timestamp that is stored as "Last Saved Date/Time" in Edit/Configure. If it is now rejecting dates that it shouldn't, then you need to append " (your time zone)" to the timestamp that is stored in "Last Saved Date/Time". Example, if your time zone is EDT, then your Time Zone is " -05:00", so you'd append " -05:00" to the timestamp that is stored in Edit/Configure "Last Saved Date/Time"

10/28/2002 1.0.80 Fixed problem with BlackIce converter that caused CVTWIN to (potentially) fill your hard disk if a log line contained an impossibly large range of ports. Previously, it would attempt to generate log lines for each of the ports in the range. All BlackIce users should upgrade to this release.

10/28/2002 1.0.79 Added new converter for Kerio Personal Firewall, Version 3. Select "Kerio Personal Firewall, Version 3" as the Firewall.

10/27/2002 1.0.78 Disabled logging to Windows Event log because it apparently causes CVTWIN to crash with a run-time error under some conditions on Win 2K. CVTWIN's own logging remains working--this only affects log messages that were sent to Windows Event log when sending email. CVTWIN's own logging logs these messages, so Windows Event logging is not needed.

10/26/2002 1.0.77 Added support for PC-Cillin. See http://www.dshield.org/clients/cvtwinfirewalls.html#pc_cillin for instructions.

10/22/2002 1.0.76 Updated Kiwi Cisco-PIX converter to handle more varieties of logs.

10/08/2002 1.0.75 Norton Personal Firewall 2003 converter update.

10/06/2002 1.0.74 More work on Norton Personal Firewall 2003 converter.

10/06/2002 1.0.73 Added converter for Norton Personal Firewall 2003 because the log format is different than previous version of Norton Personal Firewall. Users of the 2003 product should select "Norton Personal Firewall 2003". Users of earlier versions of Norton firewall should use "Norton Personal Firewall". Thanks to Jim Mercer for helping me with this.

10/04/2002 1.0.72 Fixed bug that made the "Send as email" menu operations be greyed out.

9/27/2002 1.0.71 Added converter for Cisco PIX using Kiwi Syslog Daemon.

8/11/2002 1.0.70 Improvements in startup logic to auto-detect-and-configure more firewalls.

Added new documention for Watchguard/Kiwi Syslog Daemon http://www.dshield.org/clients/watchguard_kiwi_setup.html Thanks to Richard Roy for contributing these docs.

7/26/2002 1.0.69 Extended converter for Kerio WinRoute Pro to work with "NAT" configuration. If this isn't clear, then think of it that it can convert Winroute Pro log lines that it previously couldn't convert. Thanks to Stephen Farquhar for helping me with this.

Also extended Kerio (formerly Tiny) Personal Firewall converter to recognize ICMP log lines.

7/21/2002 1.0.68 Fixed a problem with Norton Firewall date conversion that affected some non-American date formats.

6/26/2002 1.0.67 Added support for WatchGuard, using Kiwi Syslog Daemon

5/27/2002 1.0.66 Changed install procedure. It is now supplied as a self-extracting zip file--cvtwin-setup.exe, to eliminate the headache of your having to manually unzip it first.

5/6/2002 1.0.65 Fixed Kiwi date conversion. It didn't use the regional variables in cvtwin.ini to set the order of Month, Day and Year. Thanks to Chris Cole for helping me with this.

4/26/2002 1.0.64 Will create SENDIT.BAT in the directory that CVTWIN is installed in. This is a workaround for users that can't use the "send log as email" operations that are built into CVTWIN. See SENDIT.BAT after doing a conversion for more info. Again, you don't need this if you aren't having problems sending mail.

4/25/2002 1.0.63 Added more logging for email operations, and added SENDIT.BAT DOS batch file for people who can't send the log as email with the usual CVTWIN menu operation. Ignore all this if you aren't having a problem sending the log in as email. Thanks to Andrew Fletcher for helping with debugging a knotty Windows version specfic email problem.

4/20/2002 1.0.62 Improved error handling for email operations. Now using version 2.0 of sndmail.dll, which is in the updates zip file.

4/5/2002 1.0.61 User Interface rehab. Improved internal consistancy checking of parameters and operations to provide asistance for some common configuration problems.

4/4/2002 1.0.60 Added filters so that you can exclude based on ports, and by arbitrary content that is in each log line. See the Edit menu for the filters that you can edit.

Fixed problem in Norton Firewall log converter where it wasn't detecting the target IP for some ICMP accesses. Also fixed Norton ICMP records so it is setting the type and code better. Thanks to Brian M. Flack for helping with this.

4/2/2002 1.0.59 Changed date formatting so all converters format as YYYY-MM-DD. Previously, I had been sloppy and formatted some dates as YYYY/MM/DD, which is grudgingly allowed but is not encouraged. Also added additional date filter to reject log lines that are older than 32 days.

4/1/2002 1.0.58 Made formatting the current timestamp that is used for date validity checking be more robust. Before, it only worked for a few variations of Windows Regional Settings. This should eliminate some cases of date comparison failures.

Added additional date validity checking to the Norton Firewall converter.

3/31/2002 1.0.57 Refined Regional Settings handling. Now, it will set CVTWIN's Regional Settings (order of components in the date) the first time that CVTWIN is run. But if it sets it wrong (i.e., problems with dates formatted wrong), see http://www.dshield.org/clients/cvtwinreference.html#trouble_date_conversion so you can correct the setting.

Thanks to Brian M. Flack for helping with this and for providing valuable suggestions for improving the documentation.

3/25/2002 1.0.56 Fixed problem with Norton Firewall parser not using the date separator parameter in cvtwin.ini. This affects non-American users if the dates in the Norton log are not in the American MM/DD/YYYY format and they need to edit the Regional Settings in cvtwin.ini. See http://www.dshield.org/clients/cvtwinreference.html#trouble_date_conversion

3/25/2002 1.0.55 User interface (Configure dialog box) and documentation makeover.

3/23/2002 1.0.54 Added support for Kiwi Syslog Daemon when used with Linksys routers.

3/21/2002 1.0.53 Changed so that all "Was converted on" and "Email was sent on" timestamps are formatted in YYYY-MM-DD DShield format. This affects how your Summary and the CVTWIN log display dates.

Added auto-detection for some firewalls when CVTWIN is first run. If your firewall isn't auto-detected, please write to info@dshield.org.

3/20/2002 1.0.52 Added more robust date validity chacking to, hopefully, detect date conversion problems (instead of you submitting logs with invalid dates and wondering why they don't show up when you log in. See the entry for 1.0.51, below.)

3/20/2002 1.0.51 Made setting of Regional Settings in CVTWIN to detect the order of the date components be manual because automatically determining this didn't work with some versions of Norton Firewall. See the "Date Conversion Problems" section of http://www.dshield.org/clients/cvtwindocs.html for more information. Note that this currently only applies to users of the Norton Firewall that are having problems with dates not converting properly. Thanks to Brian M. Flack for working with me to diagnose this.

Also removed the cvtwin.ini file from the distribution. If this doesn't exist, now CVTWIN will create it. This change is to prevent updates from overwriting your existing settings, which has happend in some cases.

3/17/2002 Updated README.TXT to be a bit less opaque.

3/12/2002 1.0.50 Added support for Vicom Internet Gateway. Thanks to Tom Gignac for helping with this.

3/1/2002 1.0.49 Added support for newer McAfee version 3.0 firewall. Older version is still supported as "McAfee (Older)."

2/28/2002 1.0.48 Changed URL that "Log into DShield and check your submissions" function uses. You don't need to upgrade for this because we will support the old one for a while.

2/19/2002 1.0.47 Added support for VisNetic/Ambra firewall. Thanks to Justin Smith for helping with this. More BlackIce conversion improvements.

2/3/2002 1.0.46 Improved BlackIce conversion. Suggest that BlackIce users upgrade to current version of CVTWIN. Thanks to Rob Vandenberg for providing important information about the BlackIce log format.

1/25/2002 1.0.45 Updated ZoneAlarm converter so that it also converts FWROUTE log lines.

1/19/2002 1.0.44 Updated Routerlog converter to work better with newer versions of Routerlog, with newer versions of router firmware.

1/14/2002 1.0.43 Fixed problem where date validity check was rejecting some valid dates when they are very recent and are in GMT. Thanks to David Mehl for pointing this out.

1/7/2002 1.0.42 Added date validity check, to detect at least some invalid date conversions. Also fixed bug that was created in last version that caused logs that contain "Sep" in the date field not be translated correctly.

1/6/2002 1.0.41 Added support for Asante FriendlyNet, D-Link, and SMC Barricade routers. See the ASANTE FRIENDLYNET, D-LINK, AND SMC BARRICADE ROUTERS USING ROUTERLOG section of the documentation for details. Thanks to Tony Dew and Jan Weinmann for helping me with this.

12/17/2001 1.0.40 And fixed a longstanding bug with the Norton Parser where the time field wasn't zero padded. This made the "is earlier than" timestamp comparison somtimes fail, so that some log lines were wrongly excluded.
12/17/2001 1.0.39 Fix for Regional Settings processing in Norton converter. (First attempt read .ini file from disk when looking at each log line. Duh.) Thanks to Gary Hubbard for helping me with this.

12/16/2001 1.0.38 Now checks the systems Regional Settings to detect the date format for the Norton parser. I'm not sure if this affects other firewalls. If you have problems with dates not converting properly in your locale, please contact me at info@dshield.

12/14/2001 1.0.37 More improvement (less bugs) for BlackIce converter. Thanks to Will Wilkinson for working with me with this.

12/14/2001 1.0.36 Improved BlackIce conversion so that it now does a better job of rejecting unsupported record types and recognizing supported record types.

12/04/2001 1.0.35 Added support for Sygate firewall.

11/28/2001 1.0.34 Updated ZoneAlarm converter to completly convert ICMP and IGMP records. Thanks to Rob Vandenberg for clarifying this.

11/14/2001 1.0.33 I found out that I defined the IP filters wrong. the 172 block should be

172.16.0.0 - 172.31.255.255 (not 172.255.255.255)

You don't need to update for this--just edit your IP filters to match, from the Edit menu. Thanks to Paul Freeman for bringing this to my attention.

11/13/2001 1.0.32 Changed ZoneAlarm parser to also include lines that start with 'FWROUTE'

11/13/2001 1.0.31 Rewrote code that caused problems with some versions of Windows XP. Thanks to Jorgen Hedlund for coming up with the fix.

11/2/2001 1.0.30 Added support for semicolon ";" delimiters to ZoneAlarm parser.

11/1/2001 1.0.29 Now displays a screen of Quick Docs when the program first starts up, so that new users shouldn't have to search through all the menus to try to figure out where to start.

10/22/2001 1.0.28 Fixed Winroute Pro parser so it rejects log lines that contain accepted packets (we only want log lines that log blocked packets.) Added button to Configure dialog that will automatically log you into DShield with your default browser so you can check your reports.

10/18/2001 1.0.27 Added support for the Windows XP Internet Connection Firewall (ICF) that is built into Windows XP. See http://www.dshield.org/clients/windows_xp_firewall_setup.html for information on how to configure ICF.

10/11/2001 1.0.26 Removed WS2_32.DLL from the distribution because some users have reported problems with the version that the installer installs. See README.TXT for more information.

10/08/2001 1.0.25 Improved logic for BlackIce converter.

10/06/2001 1.0.24 Added support for Norton Personal Firewall.

10/05/2001 1.0.23 Fixed problem with WinRoute Pro parser not parsing ICMP properly.

10/04/2001 1.0.22 Added support for Tiny Software WinRoute Pro.

09/17/2001 1.0.21 Added support for McAfee Firewall.

09/16/2001 1.0.20 Fix for crashing when processing newer BlackIce log format.

09/08/2001 1.0.19 Now displays a summary of the results of the last conversion when the program first starts.

09/07/2001 1.0.18 Previous versions couldn't access the most recent Linksys LogViewer log lines unless you explicitly did a "Save File/OK" in LogViewer. Now it can read the entire log file.

09/07/2001 1.0.17 Added support for the Tiny Personal Firewall. http://www.tinysoftware.com/pwall.html

09/05/2001 1.0.16 Improved error checking. Added improved docs for using the task scheduler to http://www.dshield.org/clients/schedule_client.html

09/04/2001 1.0.15 Fixed problem that caused Notepad to open minimized on some systems (when editing IP filters.)

09/03/2001 1.0.14 Improved logging when using '-noui' option for unattended (Task Scheduler) operation. Before, it didn't create a log entry if the count was 0.

09/02/2001 1.0.13 Fixed bug where minimizing didn't work. Improved user interface for File View commands.

09/02/2001 1.0.12 Changed the user interface somewhat. It will now allow you to view files from a previous conversion. Previously, you could only view files after doing a conversion. See the (rewritten) documentation for more details. Also, made it so the program is resizable.

09/01/2001 1.0.11 Removed file size restriction when viewing log files. "Check User ID" (in Edit/Configure) now displays the date that your last submission was actually processed on DShield.org, and also displays several other parameters from your DShield user profile.

08/31/2001 1.0.10 Added "Check User ID" button to Edit/Configure dialog box, so you can verify if your user information is in the DShield user database. It queries the DShield site to verify that your user information is in the databese, so that your submissions will show up after you log in and go to "Check Your Reports." If the user information (email address and user ID) don't match up, then you won't be able to see your submissions.

08/29/2001 1.0.9 Fixed bug where Edit/Configure would crash if the configuration file was from a previous version. Fixed log display for Linksys Logviewer.

08/28/2001 1.0.8 Added "Obfuscate IP" checkbox to configuration dialog. This allows you to camouflage your own IP by changing the first portion to "10".

08/28/2001 1.0.7 Bug fix. Fixed bug in saving the date of the last log line processed. It was sometimes clearing this, such that the next run would send in the entire log file.

08/27/2001 1.0.6 Added BlackIce and Linksys LogViewer parsers. Fixed more typos and errors in the documentation file.

08/26/2001 1.0.5 Improved error handling. Worked on documentation to dispell a few mysteries.

08/26/2001 1.0.4 Added filtering by IP, accessed on Edit menu. Moved Configure dialog from File menu to Edit menu. Error handling improvements. (Email log (and status line) would say that email was sent, even if the SMTP server configuration was invalid. No, no, no. Bad error message.)

08/23/2001 1.0.3 Minor cosmetic changes in status displays.

08/23/2001 1.0.2 Made logging more robust. ({App.Path}/CVTWINLOG.TXT). Changed so LastSavedAlertDate isn't saved until the email was actually sent.

08/22/2001 1.0.1 Initial release.