fwlogwatch

fwlogwatch is a packet filter / firewall / IDS log analyzer written by Boris Wesslowski originally for RUS-CERT.

fwlogwatch supports a lot of log formats and has many analysis options. It also features incident report and realtime response capabilities, an interactive web interface and internationalization.

Features:

• Can detect and process log entries in the following formats:
• Linux ipchains
• Linux netfilter/iptables
• Solaris/BSD/Irix/HP-UX ipfilter
• BSD ipfw
• Cisco IOS
• Cisco PIX / FWSM
• NetScreen
• Windows XP firewall
• Elsa Lancom router
• Snort IDS
• Entries can be parsed from single, multiple and combined log files, the parsers to be used can be selected.
• Gzip-compressed logs are supported transparently.
• Can separate recent from old entries and detects timewarps in log files.
• Can recognize 'last message repeated' entries concerning the firewall.
• Integrated resolver for protocols, services and host names.
• Can do lookups in the whois database.
• Own DNS and whois information cache and GNU adns support for faster lookups.
• Hosts, networks, ports, chains and branches (targets) can be selected or excluded as needed.
• Support for internationalization (available in english, german, portuguese, simplified and traditional chinese, swedish and japanese).
• Log summary mode:
• A lot of options to find and display relevant patterns in connection attempts.
• Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with chains, targets and interfaces).
• Output as plain text or HTML (W3C XHTML 1.1 with inline or linked CSS level 2) with limit and sort options.
• Can send summaries by email.
• The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
• Supports templates and incident number generation.
• All fields can be adjusted as needed interactively.
• Realtime response mode:
• The program detaches and stays in background as a daemon.
• For ipchains setups detection of necessary rules with logging turned on can be configured.
• Can catch up reading existing entries to provide up-to-date state information from program start on.
• Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
• The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
• Supports trusted hosts (anti-spoofing).
• The current status of the program can be followed and controlled through a web interface (supports IPv6).

What is new in this release:

• This version adds IPv6 support for netfilter, dns cache initialization, and ASA parser extensions.