PIXie Version 0.99 beta Open Source Cisco Log Analysis Tool (c) 2000, John Adams PIXie mailing list: send a blank message to pixie-subscribe@retina.net to unsubscribe, do the same to: pixie-unsubscribe@retina.net Download/Home page: http://www.retina.net/~jna/pixie --- Abstract: PIXie is a log analysis tool for Cisco PIX firewalls and routers. It offers interactive, web-based drill-down viewing of denied packet reports, as well as rudimentary port scan detection and multiple-device analysis. At the time of this writing, PIXie only handles IP packets that have been denied and that have produced log entries. The rest, is up to you. Warning: THIS IS BETA SOFTWARE. This software is very very rough, and highly experimental. It's also not as secure as I would like it to be, and it'll probably break, but here it is anyhow. All that I ask is that you respect the copyright and don't try to profit from this code. Commercial users / people who are interested in licensing this code: please contact me. I'll try to help you if you can't get it working, but I'm quite busy, and don't expect much. I built this over the course of 5 long evenings, and it's a bit scatterbrained. Forgive me. Portions copyright Mozilla.org (notably, lots of things in global.pl) Requirements: * Perl 5.002 or greater with: * DBI/DBD * Mysql.pm * CGI.pm * DateFormat.pm * Socket.pm * MySql version 3.23.11 (http://www.mysql.com) (you must run the alpha copy because this is data intensive, and requires "COUNT(DISTINCT...)" to do port scan detections) * Cisco PIX firewalls, or routers, all with their syslog (logging) addresses pointed to the same machine. * Cisco routers configured to LOG traffic. The PIX does this automatically for all denied ports, but routers do not! You should have entries like : permit tcp any any eq 22 log in your access control lists. * The syslog logfile from said routers * root access and mysql admin access to the box you are installing this on. * Apache or a web server capable of serving CGI * Network things like traceroute, ping, bwhois, all in the web server's path. Mysql and all of it's utilities in your server's path. Install: 1) Untar this mess in your web server's htdocs directory. now you should have: htdocs/ htdocs/pixie htdocs/pixie/bwhois-0.2 2) Alter your apache config to support CGI if you haven't already done so: Options Indexes FollowSymLinks ExecCGI ... other options here ... AddHandler cgi-script .cgi AddHandler cgi-script .pl 3) Restart the server. apachectl restart 4) You really need bwhois for this to work because of the recent changes in the Internic. bwhois is a whois program that I've included with this distribution. Let's go build it. (Edit the Makefile if you're running solaris!) cd bwhois-0.2/ make make install Then, tell bwhois where all the NIC servers are: mv whoisrc /etc/whoisrc Test bwhois: bwhois somedomain.com bwhois gets used by hostinfo.pl to show ip block and whois info 5) Ensure that all of pixie's perl scripts point to your location of PERL. Then, check 'localconfig' to ensure that it's configured for your mysql server. 6) Now, the fun part. Ingest your logs into the mysql database: ./reload ./parse.pl /your/logfile/goes/here.log You can do this as often as you like, as you will be working with all of the data that has been loaded in. *** Parsing can take a long time, up to 10 minutes on slow *** machines. You can watch it's progress by connecting to the mysql *** database and doing a: select count(*) from syslog 7) Go to the URL and pixie should work first time. (cross fingers now.) You will notice an initial delay on the first load as PIXie constructs the reporters database, a database of all routers that have sent syslog entries to your log. This will only happen once. Enjoy, and please send comments to jna@retina.net. -------------------------------------------------------------------- A word on security: This thing is really insecure. People can modify the variables in the cgi strings, mess with the mysql database, and all sorts of lovely things. Run it on a local machine! Password protect the directory and keep people away from it. Don't run this on a machine that people can access over the internet (but it should have internet access so you can work with the dataset)