fireparse is an ADMLogger plugin that emails a report of all packets that have been logged by the kernel's packet filtering subsystem (iptables/netfilter or ipchains). The report includes source and destination ports, direction, logged packet count, matched rule, and fully resolved host names (if available). The email report can be formatted to plain text or a colored HTML table.
Firewall Log Daemon is a program written in C which will watch for ipchains or iptables log alerts in realtime. The program will start a small daemon process that parses and resolves firewall logs by reading a FIFO that syslog writes to. It can queue a batch of alerts and mail them to you, or can be used in a script to crunch an existing log file or data stream. It features hostname, port, protocol, and ICMP type/code lookup, with output formatted by a user-defined template.
TrinityOS is a step-by-step, example-driven HOWTO on building a very functional Linux box with strong security in mind. TrinityOS is well known for its strong packet firewall ruleset, Chrooted and Split DNS (v9 and v8), secured Sendmail (8.x), Linux PPTP, Serial consoles and Reverse TELNET, DHCPd, SSHd, UPSes, system performance tuning, the automated TrinityOS-Security implementation scripts, and much more.
Xtradius is a radius server that permits you to handle user authentication and accounting request via external scripts. You can handle script requests for user accounting, user authentication, NAS start and NAS stop packets. You can also write additional information into the NAS detail logfile. Parameters to scripts are passed via command line options or environment variables, making it very simple to implement SQL-based user accounting, authentication and account expiration. It is also compatible with "standard" cistron radius server.
fwanalog is a shell script that parses and summarizes firewall logfiles. It understands logs from ipf (xBSD, Solaris), OpenBSD 3.x pf, Linux 2.2 ipchains, Linux 2.4 iptables, and a few types of routers and firewalls (Cisco, Checkpoint FW-1, and Watchguard). The excellent log analysis program Analog is used to create the reports.
NetUP UTM is a universal billing system for internet service providers of any size. Its modern approach to traffic accounting makes the system compatible with all popular platforms and network devices. Its key features include realtime traffic processing, Cisco Netflow and IP Accounting data collection, support for RADIUS authentication, and cross-platform compatibility. The core of the system is a smart and reliable accounting engine working directly with network equipment. It supports up to 100,000 users at a total speed of up to 3 Gbps. A flexible ratings engine and efficient administration tools make UTM a complete solution for IP/VoIP/WiFi/dial-up billing.
Wflogs is a firewall log analysis tool. It can be used to produce a log summary report in plain text, HTML, and XML, or to monitor firewalling logs in real-time. For now, netfilter, ipchains, ipfilter, cisco_pix, cisco_ios, and snort input formats are supported. It is particularly fast when asynchronous DNS resolution is enabled. The goal of the WallFire project is to build a very general and modular firewalling application based on Netfilter or any kind of low-level framework. Wflogs is part of the WallFire project, but can be used independently.
The Userfriendly Iptables Frontend is used to generate optimized iptables packet filter rules, using a simple description file specified by the user. Generated rules are provided in iptables- save style. UIF can be used to read or write rulesets to or from LDAP servers in your network, which provides a global storing mechanism. Its aim is to be an easy to configure, human readable packet filter.
IPTables log analyzer displays Linux 2.4 iptables logs (rejected, accepted, and masqueraded packets) in a nice HTML page. The reports it produces are easy to read and understand, reducing the manual analysis time. They contain statistics on packets and links to more detailed information on a given host, port, or domain.
The Bait and Switch Honeypot System combines the snort Intrusion Detection System (IDS) with honeypot technology to create a system that reacts to hostile intrusion attempts by marking and then redirecting all "bad" traffic to a honeypot that partially mirrors your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data, while your clients and/or users are still safely accessing the real system. Life goes on, your data is safe, and you get to learn about the bad guy as an added benefit. It works with Snort 1.9.0, 1.9.1, and 2.0.2.