FWReport Reporting Tool for IPTables
By Chris Travers
II How to Run the Program
III Known Issues
FWReport is not a substitute for reading log files. Although this utility can be useful in finding indications of attacks, some information is not contained in these reports which could lead to false positives, and I have erred on the side of false positives rather than false negatives.
One should note that a positive record always indicates that SOMETHING is going wrong, but often you will still have to look at the logs in order to ensure that the problem is one of outside malice rather than misconfiguration. For example, if the firewall is making DNS queries to a DNS server but blocking and logging replies, these subsequent DNS requests will occur at random ports above 1024, and the result could look like a port scan in the report.
This tool is a self-contained PERL script. All that is necessary, assuming you have Perl running, is to take the PERL script and copy it somewhere in your $PATH. I usually place it in /usr/sbin.
This tool will only work on Linux with Netfilter, and parses the /var/log/messages file for IPTables entries and generates a report based on the logs. It can only make report on logged packets, so you will need the packets to be logged via the LOG target. If you are unsure how to set this up, please see the Netfilter documentation at http://www.tldp.org and http://www.netfilter.org.
If you need assistance with the installation of Perl, see http://www.perl.org for more documentation and assistance.
FWReport is designed to run to daily or monthly reports. Please check the man page for complete syntax and instruction. A few examples include:
Generate a report for instances occuring on March 15 in the file /var/log/firewall without reverse dns lookups: fwreport -rd Mar 15 -f /var/log/firewall
Generate a report with daily subsections, processing the entire
Generate a report for yesterday from /var/log/messages:
fwreport -dt 1
fwreport -d `date --date="yesterday" "+%b %d"`
Note that the second may not launch from Cron depending on your shell settings in the /etc/passwd.
FWReport was written with the idea of being run via cron. The sample scripts are available for you to modify and call from the crontab.