Looking for a Firewall log parser for incidents

[Charles Roten <charles.roten () wamu net>]

Right now, I'm using the freeware perl script fwlogsum, from
http://www.ginini.com.au/tools/fw1, to put together digests
of my Checkpoint Firewall-1 logs.  But fwlogsum has a serious
disadvantage: it is a tool designed to compile a "Top 10"
style report.

What I really want is a tool which will inform me about the
IP used by the script kiddy who ran that TCP port 21 host
sweep yesterday.  Even if the number of log records generated
by the activities of said script kiddy fall below fwlogsum's
radar.

The problem I face here is that the logs I must parse are
truly large.  As in 200 MB of logs per day, *after*
*compression* which gives a 15/1 compression ratio.

When thinking about the design, I considered designing a
list or regexp which would specify the boxes inside my
perimeter.  Then, simply scan through the logs, and pull the
IPs of all external boxes which drop packets.  Each of these
becomes an IP of interest.  Then, in the second pass, pull
*all* records from all IPs of interest, and report only on
their activity.  Problem is, creating a regexp out of the IPs
of interest creates a regexp which breaks awk's regexp engine,
and would almost certainly break perl's as well.  And with the
volume of logs I process, the script must not have to make
more than 2 passes through the logs.

Does anyone on this list know of such a tool?  I think this
must be a common problem, and I suspect my scheme has been
tried, and improved, before.  I would truly appreciate not
having to re-invent the wheel.

My email address is charles.roten () wamu net

Thanks for any assistance.

Charles Roten
Corporate Information Security
Washington Mutual


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards