check out this new fwanalog sample report: http://tud.at/programm/fwanalog/new-sample/alldates.html#host
(This is made of real data so I will delete it after a few days.)
Basically, there are now links to separate pages for each recently blocked
host, so the important question "what did 111.222.333.444 scan on my host
and was it already scanning before?" can be answered for the first time
(without grepping the logs directly, that is).
The new feature seems to work so far, but it runs very slowly (= up to a couple of minutes per host on my 350 MHz machine, depending on the amount of logged data). Only the hosts from the current log get converted, so this is not too much if done periodically (e.g. daily or hourly).
There is also a command line option to generate the statistics of a "not so recent" host (that was logged before this feature was active).
This is about the maximum that the design of fwanalog (and firewall log reporting in general) can reach; for more information, one really needs an intrusion detection system like snort. (Which is a different business.)
This is not really in a releasable state yet, but the brave can get it from the web CVS ("download tarball"). Note the new option in fwanalog.opts.master.
Also, there is a new firewall log format for ZyXEL/Netgear firewall appliances, also in the CVS.
I'd be glad about feedback.
-- _________________________________________________________________ Balázs Bárány balazs~AT~tud.at http://tud.at ICQ 10747763 Computers. You can't live with them, you can't live without them.
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 22:22:05 CEST