SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

FWReport Reporting Tool for IPTables
By Chris Travers

I Installation
II How to Run the Program
III Known Issues

Before You Begin:

FWReport is not a substitute for reading log files. Although this utility can be useful in finding indications of attacks, some information is not contained in these reports which could lead to false positives, and I have erred on the side of false positives rather than false negatives.

One should note that a positive record always indicates that SOMETHING is going wrong, but often you will still have to look at the logs in order to ensure that the problem is one of outside malice rather than misconfiguration. For example, if the firewall is making DNS queries to a DNS server but blocking and logging replies, these subsequent DNS requests will occur at random ports above 1024, and the result could look like a port scan in the report.

I Installation

This tool is a self-contained PERL script. All that is necessary, assuming you have Perl running, is to take the PERL script and copy it somewhere in your $PATH. I usually place it in /usr/sbin.

This tool will only work on Linux with Netfilter, and parses the /var/log/messages file for IPTables entries and generates a report based on the logs. It can only make report on logged packets, so you will need the packets to be logged via the LOG target. If you are unsure how to set this up, please see the Netfilter documentation at http://www.tldp.org and http://www.netfilter.org.

If you need assistance with the installation of Perl, see http://www.perl.org for more documentation and assistance.

II Running the Program

FWReport is designed to run to daily or monthly reports. Please check the man page for complete syntax and instruction. A few examples include:

Generate a report for instances occuring on March 15 in the file /var/log/firewall without reverse dns lookups: fwreport -rd Mar 15 -f /var/log/firewall

Generate a report with daily subsections, processing the entire /var/log/messages:
fwreport -w

Generate a report for yesterday from /var/log/messages: fwreport -dt 1
--or--
fwreport -d `date --date="yesterday" "+%b %d"`

Note that the second may not launch from Cron depending on your shell settings in the /etc/passwd.

FWReport was written with the idea of being run via cron. The sample scripts are available for you to modify and call from the crontab.


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.