53 lines
2.3 KiB
Markdown
53 lines
2.3 KiB
Markdown
# fwlogwatch
|
|
|
|
fwlogwatch is a packet filter/firewall/IDS log analyzer written by Boris Wesslowski with the following features:
|
|
|
|
General features:
|
|
Can detect and process log entries in the following formats:
|
|
Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, Cisco IOS, Cisco PIX, NetScreen Windows XP firewall, Elsa Lancom router and Snort IDS.
|
|
|
|
Entries can be parsed in combined log files, the parsers to be used can be selected.
|
|
|
|
Gzip-compressed logs are supported.
|
|
|
|
Can separate recent from old entries and detects timewarps in log files.
|
|
|
|
Can recognize 'last message repeated' entries concerning the firewall.
|
|
|
|
Integrated resolver for protocols, services and host names.
|
|
|
|
Can do lookups in the whois database.
|
|
|
|
Own DNS and whois information cache for faster lookups.
|
|
|
|
Hosts, ports, chains and branches (targets) can be selected or excluded as needed.
|
|
|
|
Support for internationalization (available in English, German, Portuguese, simplified and traditional Chinese and Swedish).
|
|
|
|
Log summary mode:
|
|
A lot of options to find and display relevant patterns in connection attempts.
|
|
|
|
Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with the chains, targets and interfaces).
|
|
Plain text and HTML (with CSS) output with many sort options.
|
|
|
|
Can send summaries by email.
|
|
|
|
Interactive report mode:
|
|
The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
|
|
|
|
Supports templates and incident number generation.
|
|
|
|
All fields can be adjusted as needed interactively.
|
|
|
|
Realtime response mode:
|
|
The program detaches and stays in the background as a daemon.
|
|
Detection of the necessary ipchains rules with logging turned on can be configured.
|
|
|
|
Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
|
|
The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
|
|
|
|
Supports trusted hosts (anti-spoofing).
|
|
|
|
The current status of the program can be followed through a web interface (supports IPv6).
|
|
|