A packet filter/firewall/IDS log analyzer http://fwlogwatch.inside-security.de/
Go to file
2024-01-05 22:35:49 +01:00
fwlogwatch.spec update to 1.3 [release 1.3-1mamba;Wed Oct 10 2012] 2024-01-05 22:35:49 +01:00
README.md update to 1.3 [release 1.3-1mamba;Wed Oct 10 2012] 2024-01-05 22:35:49 +01:00

fwlogwatch

fwlogwatch is a packet filter/firewall/IDS log analyzer written by Boris Wesslowski with the following features:

General features: Can detect and process log entries in the following formats: Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, Cisco IOS, Cisco PIX, NetScreen Windows XP firewall, Elsa Lancom router and Snort IDS.

Entries can be parsed in combined log files, the parsers to be used can be selected.

Gzip-compressed logs are supported.

Can separate recent from old entries and detects timewarps in log files.

Can recognize 'last message repeated' entries concerning the firewall.

Integrated resolver for protocols, services and host names.

Can do lookups in the whois database.

Own DNS and whois information cache for faster lookups.

Hosts, ports, chains and branches (targets) can be selected or excluded as needed.

Support for internationalization (available in English, German, Portuguese, simplified and traditional Chinese and Swedish).

Log summary mode: A lot of options to find and display relevant patterns in connection attempts.

Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with the chains, targets and interfaces). Plain text and HTML (with CSS) output with many sort options.

Can send summaries by email.

Interactive report mode: The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).

Supports templates and incident number generation.

All fields can be adjusted as needed interactively.

Realtime response mode: The program detaches and stays in the background as a daemon. Detection of the necessary ipchains rules with logging turned on can be configured.

Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification. The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.

Supports trusted hosts (anti-spoofing).

The current status of the program can be followed through a web interface (supports IPv6).