Log Analyzer.
Updated 6/12/03
A minor bug in the script caused "port attacks" identified as ICMP to show up with no port number. This has been fixed in version 1.05. ICMP probes are now identified as such in the report.
Also, a "-d" (or "--dns") switch has been added to resolve IP addresses to hostnames. This is a somewhat slow process...
Updated 3/4/03
I wrote a small perl script to make it easier to read the log files you get when using the syslog feature on the Symantec Firewall/VPN appliance. Reading through the logs are not a pleasant experience, but with simple perl script, the events of the past days can easily be summarized.
The output looks like this:
------------------------------------------------ Total Number of port scans logged: 742 ------------------------------------------------ Port Scans per day ------------------ Feb 10 63 Feb 11 24 Feb 12 65 Feb 13 30 ------------------ Ports hit ------------------ 445 110 1434 105 1433 76 17300 68 27374 36 ------------------ Port Number: 445 IP: 24.80.252.14 2 IP: 65.201.237.169 2 IP: 65.210.180.200 2 IP: 61.93.33.187 2 IP: 61.242.83.247 2 Port Number: 1434 IP: 213.115.144.70 16 IP: 64.156.191.52 12
Since this is just a quick sample, some of the entries have been cut to shorten things up.
The script is written in perl, and should run on *nix boxes and Windows boxes alike (assuming you have perl installed). The default logfile name may have to be changed to accommodate for your settings, or you can simply use the '-l <filename>' argument.
Usage: firewall.pl [-l <name>] -n <lines> -p -d
-l <name>: name of file to report on.
-n <lines>: number of lines in the ports hit and IP address list. Default
is 10./
-p : Display "Ports hit" section only.
-d : DNS lookup. Performs a reverse DNS lookup of all IP addresses. Note that
although DNS entries are cached, this lookup does slow down the reporting. Also,
some of the long names might make a mess of the output.