[Script] Perl – Check Point firewall logfile analysis – dropped connections statistics

Here’s a simple perl script I wrote some time ago in order to analyze Check Point firewall logs for dropped connections, outputting a simple statistic by drops per source-IP. It also displays the number of accepted connections per source-IP.

You first need to convert the Check Point binary logs to text logfiles via fwm logexport like:
fwm logexport -n -p -i $FWDIR/log/2013-07-28_000000.log -o /var/tmp/2013-07-28.txt
Always use the -n switch btw or you can grab quite a few snickers waiting for DNS reverse resolutions in large logfiles. If you’re running this directly on a check point SPLAT or Gaia node, make sure you have enough space on the destination volume since the exported text logs can be quite large (use /var/tmp instead of /tmp)

Of course this script will only be able to gather statistics of firewall rules you’ve actually set to logging.

Code:

Update: I have moved my scripts to GitHub and updated some of them a bit. You can find the current version of this particular script here.

#!/usr/bin/env perl
###
#Export logs via fwm logexport:
# fwm logexport -n -p -i $FWDIR/log/2013-07-28_000000.log -o /tmp/2013-07-28.txt
#Feed these exported textfiles as arguments to this script:
# ./fwdrops.pl /tmp/2013-07-28.txt /tmp/2013-07-27.txt
###
use strict;
use warnings;

my (%sourceaccept, %sourcedrop, %indexes);

#Define the names of the log fields that are relevant for us. In our case we just need src and action.
#Each log entry is basically a semicolon-separated list of the following properties:
#num;date;time;orig;type;action;alert;i/f_name;i/f_dir;product;log_sys_message;origin_id;ProductFamily;Log delay;rule;rule_uid;rule_name;src;dst;proto;service;s_port;service_id;message_info;ICMP;ICMP Type;ICMP Code;TCP packet out of state;tcp_flags;inzone;outzone;rule_guid;hit;policy;first_hit_time;last_hit_time;log_id;xlatesrc;xlatedst;NAT_rulenum;NAT_addtnl_rulenum;xlatedport;xlatesport;description;status;version;comment;update_service;reason;Severity;failure_impact;message;ip_id;ip_len;ip_offset;fragments_dropped;during_sec;Internal_CA:;serial_num:;dn:;sys_message:;SmartDefense profile;DCE-RPC Interface UUID;System Alert message;Object;Event;Parameter;Condition;Current value
my @LogFields = ("src", "action"); 

foreach my $file (@ARGV) {
  open my $fh, '<', $file or die "Can't open file $!";
  my @Fileheader = split (";", <$fh>);
  #Here we just loop through the log header fields (see above) until we know at which position our desired LogFields are
  foreach my $Field (@LogFields) {
        $indexes{$Field} = 0;
        ++$indexes{$Field} until $Fileheader[$indexes{$Field}] eq $Field;
  }
  <$fh>; #filters irrelevant "Log file has been switched to..." message

  #Loop through the rest of the log with the actual log entries and increment the drop/accept counters for each IP
  while(<$fh>) {
    my @Values = split (";", $_);
    if($Values[$indexes{"action"}] eq "drop") {
      ++$sourcedrop{$Values[$indexes{"src"}]};
    }
    elsif($Values[$indexes{"action"}] eq "accept") {
      ++$sourceaccept{$Values[$indexes{"src"}]}
    }
  }
  close $fh;
}

printf ("\n\n%-20s\t%-20s\t%-20s\n", "source-IP", "Dropped Connections", "Accepted Connections");
foreach (sort { $sourcedrop{$b} <=> $sourcedrop{$a} }  keys %sourcedrop) {
  $sourceaccept{$_} = 0 unless $sourceaccept{$_}; #Account for possible undef values for 0 accepted connections
  printf ("%-20s\t%-20d\t%-20d\n", $_, $sourcedrop{$_}, $sourceaccept{$_});
}

Example output:

source-IP           	Dropped Connections 	Accepted Connections
123.151.42.61       	5054                	0                    
188.165.95.172      	2667                	0                     
64.31.20.210        	1542                	0                   
74.63.232.92        	1536                	0                   
80.82.65.213        	1513                	0                   
122.227.228.107     	1478                	0                   
131.188.3.220       	1340                	0                   
134.76.10.46        	1334                	4                   
54.230.14.2         	1104                	0                   
50.97.107.45        	1023                	0                   
94.126.65.213       	774                 	0                              
58.221.60.179       	771                 	0                   
88.198.39.205       	768                 	0                   
66.154.119.161      	768                 	0            	
118.100.218.9       	768                 	0                   
183.248.145.108     	768                 	0                   
218.61.0.26         	768                 	0                   
180.106.43.26       	768                 	0                   
142.4.103.222       	768                 	0          
[.....]
Advertisements

4 thoughts on “[Script] Perl – Check Point firewall logfile analysis – dropped connections statistics

  1. Pingback: [Script] Perl – Check Point firewall logfile analysis – rule usage | alpacapowered

  2. i am new in perl, Is it possible to explain loginc of this script?………..Also pls clear that is it work wit R75 logs?

  3. i am new in perl, Is it possible to explain logic of this script?………..Also pls clear that is it work wit R75 logs?

    • The format of exported log files is identical for all versions I’m aware of, it’s just a semicolon-separated text file. So it should work without issues with pretty much any Check Point version. I wrote this script when we ran R75 and it still works exactly the same now that we upgraded to R77 (and R76 in between).

      I’ve added a few comments to the script and changed some minor things which should explain better what it’s doing. For an introduction to Perl in general there are a lot of good resources on the internets, for example here on perlmonks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s