|
http://cert.uni-stuttgart.de/projects/fwlogwatch/
贴一段内容~
Home -> Projekte -> fwlogwatch
fwlogwatch
fwlogwatch is a packet filter/firewall/IDS log analyzer written by Boris Wesslowski with the following features:
General features:
Can detect and process log entries in the following formats:
Linux ipchains, Linux netfilter/iptables, Solaris/BSD/Irix/HP-UX ipfilter, Cisco IOS, Cisco PIX, NetScreen Windows XP firewall, Elsa Lancom router and Snort IDS.
Entries can be parsed in combined log files, the parsers to be used can be selected.
Gzip-compressed logs are supported.
Can separate recent from old entries and detects timewarps in log files.
Can recognize 'last message repeated' entries concerning the firewall.
Integrated resolver for protocols, services and host names.
Can do lookups in the whois database.
Own DNS and whois information cache for faster lookups.
Hosts, ports, chains and branches (targets) can be selected or excluded as needed.
Support for internationalization (available in English, German, Portuguese, simplified and traditional Chinese and Swedish).
Log summary mode:
A lot of options to find and display relevant patterns in connection attempts.
Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with the chains, targets and interfaces).
Plain text and HTML (with CSS) output with many sort options.
Can send summaries by email.
Interactive report mode:
The integrated report generator fills in and presents a report that can be sent to abuse contacts of attacking sites or computer emergency response teams (CERTs).
Supports templates and incident number generation.
All fields can be adjusted as needed interactively.
Realtime response mode:
The program detaches and stays in the background as a daemon.
Detection of the necessary ipchains rules with logging turned on can be configured.
Response can be a notification (in form of a log file entry, an email, a remote winpopup message or whatever you can put into a shell script), or a customizable firewall modification.
The included response script adds a new chain for fwlogwatch to ipchains or netfilter setups and attackers are blocked with new firewall rules.
Supports trusted hosts (anti-spoofing).
The current status of the program can be followed through a web interface (supports IPv6).
The commented configuration file supports and explains all options and will get you started quickly. Scripts like a Red Hat init script or a PHP web frontend are included.
fwlogwatch is open source software under the GNU General Public License (GPL). It is known to run at least on Linux, Solaris, FreeBSD, OpenBSD and (through Cygwin) on Windows 95/98/ME/NT/2000/XP.
Download the latest version (0.9.2) here (79-114 kB) as
C source in tar.gz (with PGP signature and public key), tar.bz2 or rpm format.
Linux binary (i386 built on RH8.0) in tar.gz or rpm format.
You might want to subscribe to the fwlogwatch mailing lists:
fwlogwatch-announce - primarily for announcements of new versions
fwlogwatch-users - answers to user questions, discussion about extensions and best practices
An inter-release CVS is available at the fwlogwatch project page at SourceForge and a release overview at the fwlogwatch project page at freshmeat. You can also have a look at the fwlogwatch download site.
Firewall logging setup help is available in the README and here for Windows XP and Elsa Lancom. |
|