| Cisco-pix extension for Logwatch (www.logwatch.org) Current version: 0.1 (21 Jun 2006) |
|
Cisco-pix is an extension script I wrote for Logwatch (tested with 7.2 and 7.3 versions, but I think can work on older versions too) to parse and report Cisco PIX Firewall IDS (Intrusion Detection System) messages. Actual version (0.1) is limited only to IDS logging messages and I hope in a near future to extend the logging/reporting to all the messages (work in progress :P) Logging is done "per signature" and "per from_address", so a typical report is like this ++++++++++++++++++++++++++++++++++++ + Report Cisco IDS + + attack/info merged by sender + + attack/info count for dest + ++++++++++++++++++++++++++++++++++++ [400010] ICMP echo reply from 192.168.0.2 to 10.0.0.90 - 5 time(s) [400011] ICMP unreachable from 192.168.0.1 to 10.0.0.90 - 61 time(s) to 10.0.0.91 - 54 time(s) [.....] The script support a whitelist mechanism signature based, that exludes ip addresses from reporting Debug mode (>=5) is used to hack whitelist mech; if Detail>=8 for each entry we print the log line too Just for information, parsed IDS messages are in the following format %PIX-4-4000nn IDS:sig_num sig_msg from ip_addr to ip_addr on interface int_name Here you can download an official Cisco reference document about Syslog Messages from PIX Firewall (version greater than 5.3) Download last version of cisco-pix (0.1) In Cisco-pix tar you find 4 files
You must install these files under /etc/logwatch/ (cd /etc/logwatch; tar zxvf /path/to/cisco-pix/cisco-pix-1.0.tar.gz) Starting from 7.0 version logwatch pemits to the users to customize the configuration using this "special" dir; so you cau untar the file under /etc/logwatch/ dir and start to configure your /usr/share/logwatch/default.conf/logwatch.conf to use cisco-pix module as follow Service = cisco-pix Files description scripts/services/cisco-pix This is the core script that performs log analisys conf/logfiles/cisco-pix.conf Basic configuration (as usual) of log files to inspect, archives etc. misc/Signatures.cisco.whitelist Whitelist file; combination of signatures ID and from/to IP addresses that we don't wont display in the report. Examples included conf/services/cisco-pix.conf Config file I hope this can be useful to some people... ops! this script is released under GPL v2.0, you can use, modify, distribute it according to the licence ( GPL Version 2 ) I know, my perl coding style is not so cool ;)
Last update: 21 Jun 2006
Feel free to contact me at giovanni (dot) mellini (at) gmail (dot) com Enjoy ;) |