Juniper Firewall - software that can report on traffic analysis?

Question

I'd like to find some open source software (or relatively inexpensive) that can run analysis against the syslog messages of a Juniper SSG (netscreen OS) firewall and provide things like "Top destinations", "Top protocols", "Overall usage"...

Anyone know of such a tool?

score 1 · Accepted Answer · answered Aug 10 '10 at 14:08

1

We decided to go with Manage Engine's firewall analyzer. Cacti is too difficult to manage and maintain and Splunk wouldn't do what we were after.

answered Aug 10 '10 at 14:08

TheCleaner

32,352
26
126
188

I would hardly describe this software as inexpensive! – JamesRyan Aug 11 '10 at 09:19
Depends on how you look at it. We got a nice discount because of the industry we are in. We were originally looking at stuff that was going to cost $15-25k. – TheCleaner Aug 11 '10 at 13:04

score 0 · Answer 2 · answered Aug 04 '10 at 20:05

0

Take a look at Splunk for analyzing syslog files.

answered Aug 04 '10 at 20:05

shiftycow

91
5

score 0 · Answer 3 · answered Aug 04 '10 at 20:31

Cacti is an open source graphing/alerting solution that, along with a Syslog server like syslog-NG (open source as well) and the Syslog plugin, should get you what you need. Cacti's great, haven't tried that plugin though, but it's on my (long) todo list of software to evaluate.

score 0 · Answer 4 · answered Jun 25 '11 at 15:59

Are you sure you want a commercial solution? I wrote a small Perl script that can do the same. See if it is useful:

use strict;

my $log = shift;
my $n = shift || 5;

open FILE, $log or die "Can't open the file";

my %connections;
my %all_connections;

while (<FILE>){
    if (/^.*sent=(\d+) rcvd=(\d+) src=([\S+]+) dst=([\S+]+) src_port=(\d+) dst_port=(\d+).*$/){
        my ($src_ip, $dst_ip, $dst_port, $bytes) = ($3,$4, $6, $2);
        my $src_port = "";
        my ($src_int, $dst_int) = ("DMZ","TRUST");
        # Calculating Top users based on connection counts
        $connections{$src_int." => ".$dst_int}{conn_count}{$src_ip." => ".$dst_ip}++;
        $connections{$src_int." => ".$dst_int}{src_count}{$src_ip}++;
        $connections{$src_int." => ".$dst_int}{dst_count}{$dst_ip}++;

        # Calculating Top users based on bytes transferred
        $connections{$src_int." => ".$dst_int}{conn_bytes}{$src_ip." => ".$dst_ip} += $bytes;
        $connections{$src_int." => ".$dst_int}{src_bytes}{$src_ip}+= $bytes;
        $connections{$src_int." => ".$dst_int}{dst_bytes}{$dst_ip}+= $bytes;

        $all_connections{sprintf ("%-36s => %-36s (%-6d) %12s",$src_ip, $dst_ip, $dst_port)} += $bytes;
    }

}


foreach my $connection (sort keys %connections){
    print "--------------------------------------------------------------------------\n";
    print "STATISTICS FOR CONNECTION ", $connection, "\n";
    print "--------------------------------------------------------------------------\n";

    print "\nTop $n Connections by Bytes transferred\n";
    my $i = 0;
    printf ("%-56s %15s\n","Connection","Bytes Transferred");
    printf ("%-56s %15s\n","----------","-----------------");
    foreach my $conn_string (sort {$connections{$connection}{conn_bytes}{$b} <=> $connections{$connection}{conn_bytes}{$a} } keys %{$connections{$connection}{conn_bytes}}){
        last if $i > ($n-1);
        printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{conn_bytes}{$conn_string});
        $i++;
    }
    print "\n--------------------------------------------------------------------------\n";
    print "\nTop $n Source by Bytes transferred\n";
    my $i = 0;
    printf ("%-56s %15s\n","Source","Bytes Transferred");
    printf ("%-56s %15s\n","------","-----------------");
    foreach my $conn_string (sort {$connections{$connection}{src_bytes}{$b} <=> $connections{$connection}{src_bytes}{$a} } keys %{$connections{$connection}{src_bytes}}){
        last if $i > ($n-1);
        printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{src_bytes}{$conn_string});
        $i++;
    }

    print "\n--------------------------------------------------------------------------\n";
    print "\nTop $n Destination by Bytes transferred\n";
    my $i = 0;
    printf ("%-56s %15s\n","Destination","Bytes Transferred");
    printf ("%-56s %15s\n","-----------","-----------------");
    foreach my $conn_string (sort {$connections{$connection}{dst_bytes}{$b} <=> $connections{$connection}{dst_bytes}{$a} } keys %{$connections{$connection}{dst_bytes}}){
        last if $i > ($n-1);
        printf ("%-56s %15.0f\n", $conn_string, $connections{$connection}{dst_bytes}{$conn_string});
        $i++;
    }


    print "\n--------------------------------------------------------------------------\n";
    print "\nTop $n connections by Connection count\n";
    my $i = 0;
    printf ("%-56s %15s\n","Connection","Connection Count");
    printf ("%-56s %15s\n","----------","----------------");
    foreach my $conn_string (sort {$connections{$connection}{conn_count}{$b} <=> $connections{$connection}{conn_count}{$a} } keys %{$connections{$connection}{conn_count}}){
        last if $i > ($n-1);
        printf ("%-56s %15d\n", $conn_string, $connections{$connection}{conn_count}{$conn_string});
        $i++;
    }

    print "\n--------------------------------------------------------------------------\n";
    print "\nTop $n Source by Connection count\n";
    my $i = 0;
    printf ("%-56s %15s\n","Source","Connection Count");
    printf ("%-56s %15s\n","------","----------------");
    foreach my $conn_string (sort {$connections{$connection}{src_count}{$b} <=> $connections{$connection}{src_count}{$a} } keys %{$connections{$connection}{src_count}}){
        last if $i > ($n-1);
        printf ("%-56s %15d\n", $conn_string, $connections{$connection}{src_count}{$conn_string});
        $i++;
    }

    print "\n--------------------------------------------------------------------------\n";
    print "\nTop $n Destination by Connection count\n";
    my $i = 0;
    printf ("%-56s %15s\n","Destination","Connection Count");
    printf ("%-56s %15s\n","-----------","----------------");
    foreach my $conn_string (sort {$connections{$connection}{dst_count}{$b} <=> $connections{$connection}{dst_count}{$a} } keys %{$connections{$connection}{dst_count}}){
        last if $i > ($n-1);
        printf ("%-56s %15d\n", $conn_string, $connections{$connection}{dst_count}{$conn_string});
        $i++;
    }

    print "\n\n";


}

printf ("%-30s       %-36s  %-6s  %12s\n", "Source IP", "Destination IP", "Port", "Bytes");
printf ("%-30s       %-36s  %-6s  %12s\n", "-------------------------------", "------------------------------------", "------", "------------");
#map {print $_->[0]."\n"} @all_connections;

#print Dumper(\%all_connections);

foreach my $connection (sort {$all_connections{$b} <=> $all_connections{$a}} keys %all_connections)
{
    print "$connection  $all_connections{$connection}\n";
}

#map {printf ("%-36s (%-6d) => %-36s (%-6d) %12s\n", $_->[0], $_->[1], $_->[2], $_->[3], $_->[4])} sort {$b->[4] <=> $a->[4]} @all_connections;

Juniper Firewall - software that can report on traffic analysis?

4 Answers4