FWLogWatch is a security tool written in C by Boris Wesslowski for the RUS-CERT. It is a log analyzer for the Linux ipchains packet filter. It includes incident report and real-time response capability.
It includes the following features:
- Log summary mode:
- A lot of options to find and display relevant patterns in connection attempts.
- Intelligent selection of certain fields (e.g. the host name column is omitted and the host mentioned in the header of the summary if the log is from a single host, the same happens with the chains, targets and interfaces).
- Can separate recent from old entries and detects time warps in log files.
- Plain text and HTML output.
- Integrated parser for protocols, services and host names.
- Internal DNS cache for faster lookups.
- Interactive report mode:
- The integrated report generator fills and presents a report that can be sent to abuse contacts of attacking sites, computer emergency response and/or coordination centers (CERT/CC).
- Supports templates and incident number generation.
- All fields can be adjusted as needed interactively.
- Real-time response mode:
- The program detaches and stays in the background as a daemon.
- It detects if the necessary ipchains rules (with logging turned on) exist.
- Response can be a notification (in form of a log file entry or a remote winpopup message), a firewall modification or anything else you can invoke in a standard shell.
- In block mode a new chain for fwlogwatch is automatically added, whenever an attack is detected. This causes attackers to become completely blocked by new firewall rules.
- Support for trusted hosts (anti-spoof).
The tool can be downloaded from: http://www.kyb.uni-stuttgart.de/boris/software.shtml Or http://cert.uni-stuttgart.de