[Script] Perl – Check Point firewall logfile analysis – rule usage

Continuing from my previous post, here’s another quick and dirty perl script I used some time ago to provide a basic analysis of Check Point firewall logfiles in terms of rule usage.

It kind of lost the the bit of usefulness it had with the rule base hit counter that was introduced in R75.40, but maybe someone can still make use of this horrible code. Or some better examples like this to begin with.
The script here also includes info on implicit rules, address spoofing, whacky ICMP packets or basically any stuff that isn’t logged with an actual rule name.

Again this script will obviously only be able to gather statistics of firewall rules you’ve actually set to logging.


Update: I have moved my scripts to GitHub and updated some of them a bit. You can find the current version of this particular script here.

#!/usr/bin/env perl
#Export logs via fwm logexport:
# fwm logexport -n -p -i $FWDIR/log/2013-07-28_000000.log -o /tmp/2013-07-28.txt
#Feed these exported textfiles as arguments to this script:
# ./fwrules.pl /tmp/2013-07-28.txt /tmp/2013-07-27.txt

use strict;
use warnings;

my (%rulenames, %indexes);
my @want = ("rule_name", "rule", "message_info", "TCP packet out of state", "type");

foreach my $file (@ARGV) {
  open my $fh, '<', $file or die "Can't open file $!";
  my @fileheader = split (";", <$fh>);
  foreach my $cur (@want) {
        $indexes{$cur} = 0;
        ++$indexes{$cur} until $fileheader[$indexes{$cur}] eq $cur;
  <$fh>; #filter "Log file has been switched to..." message

  while(<$fh>) {
    my @vals = split (";", $_);
    if($vals[$indexes{"type"}] ne "control") {
      ++$rulenames{"$vals[$indexes{\"rule\"}] - $vals[$indexes{\"rule_name\"}]"} if $vals[$indexes{"rule_name"}];
      ++$rulenames{"**TCP packet out of state**"} if $vals[$indexes{"TCP packet out of state"}];
      ++$rulenames{"**[No Rule Name]**"} unless ($vals[$indexes{"rule_name"}] || $vals[$indexes{"message_info"}] || $vals[$indexes{"TCP packet out of state"}]);
      ++$rulenames{"**$vals[$indexes{\"message_info\"}]**"} if $vals[$indexes{"message_info"}];
  close $fh;

printf ("\n\n%-40s\t%-10s\n", "Rule Name", "Hits");
foreach (sort { $rulenames{$b} <=> $rulenames{$a} }  keys %rulenames) {
  printf ("%-40s\t%-10d\n", $_, $rulenames{$_});

Example output:

Rule Name                                       Hits
23 - Web Access Internal			1560537
13 - DMZ Access					310385
11 - DNS Queries				275722
52 - Access to Department B			240914
104 - Defualt Drop                              117447
52 - Access to Department A			103039
**TCP packet out of state**                     42895
**Address spoofing**                            11514
**[No Rule Name]**                              881
**ICMP error does not match an existing connection**    678
**Implied rule**                                320
**SSH version 1.x is not allowed**              27
**Invalid TCP packet - source / destination port 0. Dropped although the protection is disabled**   26
**Invalid ICMP-error header length**            2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s