Firewall Wizards mailing list archives
Looking for a Firewall log parser for incidents
From: Charles Roten <charles.roten () wamu net>
Date: Fri, 24 Aug 2001 15:04:49 -0700
Right now, I'm using the freeware perl script fwlogsum, from http://www.ginini.com.au/tools/fw1, to put together digests of my Checkpoint Firewall-1 logs. But fwlogsum has a serious disadvantage: it is a tool designed to compile a "Top 10" style report. What I really want is a tool which will inform me about the IP used by the script kiddy who ran that TCP port 21 host sweep yesterday. Even if the number of log records generated by the activities of said script kiddy fall below fwlogsum's radar. The problem I face here is that the logs I must parse are truly large. As in 200 MB of logs per day, *after* *compression* which gives a 15/1 compression ratio. When thinking about the design, I considered designing a list or regexp which would specify the boxes inside my perimeter. Then, simply scan through the logs, and pull the IPs of all external boxes which drop packets. Each of these becomes an IP of interest. Then, in the second pass, pull *all* records from all IPs of interest, and report only on their activity. Problem is, creating a regexp out of the IPs of interest creates a regexp which breaks awk's regexp engine, and would almost certainly break perl's as well. And with the volume of logs I process, the script must not have to make more than 2 passes through the logs. Does anyone on this list know of such a tool? I think this must be a common problem, and I suspect my scheme has been tried, and improved, before. I would truly appreciate not having to re-invent the wheel. My email address is charles.roten () wamu net Thanks for any assistance. Charles Roten Corporate Information Security Washington Mutual _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Looking for a Firewall log parser for incidents Charles Roten (Aug 26)