About Reptor

Disclaimer

Reptor is provided without warranty of any kind, either expressed or implied. Use it at your own risk. It is not developed, packaged, distributed, bought, sold, supported, acknowledged to exist, or in any other way related to or associated with Axent Technologies. Okay, so the name is somewhat similar, but that's it. (It's a mangling of the words "report" and "Raptor".)

Description

Raptor Firewall logfiles contain detailed information regarding all connections that are made through the firewall server. Typically, one logfile is generated each day and is given the name logfile.date. Because of the size and complexity of these logfiles, it is difficult to manually obtain any useful information from from. Reptor attempts to address this problem by analyzing the logfile and generating traffic summaries and alert messages based on customizable conditions.

Features

Reptor can generate alert messages and traffic summaries in an extremely configurable manner.

Alert messages contain detailed information about individual logfile entries that have triggered a predefined condition as specified in a configuration file. For example, you may want to be notified about all telnet sessions that occurred between midnight and 6am, all ftp sessions that lasted longer than fifteen minutes, or all email messages that were larger than two megabytes. If you've really got Big Brother envy, or you're looking for some good blackmail material, you can even be notified whenever anyone browses a URL that contains an "objectionable" word. The list of objectionable words is customizable and can even contain regular expressions. Most alert conditions can be defined separately for each protocol. Alerts can be triggered in six different ways:

A connection lasts longer than a specified amount of time.
The volume of data transferred during a connection is greater than a specified number of bytes.
The time of day a connection occurs falls within a certain range.
A connection is authenticated by a specific user.
A connection violates a WebNOT rating.
The name of the source host, the name of the destination host, or the URL of the connection matches a specified regular expression.

A traffic summary is a table of statistics that contains information such as number of hits, number of bytes sent, number of bytes received, total number of bytes, and duration of time connected. Summaries summarize all non-filtered logfile entries, regardless of alert settings. Reptor can generate different types of summaries, each individually configurable. Types of summaries include:

Summary of total traffic
Summary of alerts triggered
Summary of protocols
Summary of hosts on each interface
Summary of authenticated users
Summary of interfaces
Summary of times of day
Summary of top level domains
Summary of Eagle Mobile usage
Summary of logfile message types
Summary of historical usage

If your firewall server has more than two network interfaces, Reptor can be configured to process only traffic flowing in certain directions and/or only traffic flowing between certain interfaces.

Supported Platforms

Reptor is a Perl program. In other words, it will run on just about anything that has a processor. If your target platform is Unix, you probably already have Perl, but you'll need to verify that it is a recent enough version, and that you have the required modules installed. If your target platform is Windows NT, you'll probably need to install Perl. Further details are available in the setup guide.

Usage

The primary design goal of Reptor is to generate a daily usage and exception report. It is not intended to provide reporting or analysis for long term activity (although it can, by merging multiple logfiles together). For this reason, it is recommended that Reptor be run automatically by utilizing a task scheduler such as Unix cron or Windows NT at. By default, Reptor will process the the logfile that was generated the previous day.

All options are read from a configuration file at runtime. By default, this file is named reptor.cfg. Before using Reptor, you must create at least one configuration file. A sample reptor.cfg is included in the Reptor distribution, and documentation is available on the configuration page.

Reptor generates HTML output. It can obtain logfiles from STDIN, the local filesystem, or through the remotelog utility that is shipped with the firewall. It can output to STDOUT, the local filesystem, to an FTP server, or to an SMTP server. Interesting combinations of these include, but are not limited to, the following situations:

If you only have one person who should see the output, you can run Reptor on the firewall server and have the output emailed to that user.
If you want more than one person to see the output, you can run Reptor on the firewall server and and post the output to an internal web server via FTP.
If you don't want to run Reptor on the firewall server, you can run it on the web server and use the remotelog utility to obtain the logfiles from the firewall server.

Command Line Options

Command line options override configuration file options.

--config file: The name of the configuration file to use. If not specified, reptor.cfg will be used.
--date date: The date of the logfile to process. The format for v4 logfiles is YYMMDD and the format for versions 5 and 6 is YYYYMMDD. If not specified, the logfile that was generated the previous day will be processed.
--dir directory: The directory that the desired logfile resides in. This option overrides the "directory" configuration file option.
--help: Prints this list.
--ignore: The log to process has been cut from a larger file or merged from multiple files, so don't look for the datestamp on the first line, or ignore it if it's there.
--log file: The full name of the logfile to process. This option overrides --date and --directory.
--verify: Verify the correctness of the configuration file, the readability of the logfile, and exit without processing.
--version: Print the Reptor version number and exit.

Processing Speed

The speed at which Reptor can process logfiles varies greatly from system to system. Obviously, the most influential factor is the size of the logfiles. By design, Reptor is meant to be run unattended in the wee hours of the morning. Hopefully, this will alleviate any speed issues you may have. If your logfiles are so huge and/or your processor is so slow that processing time becomes an issue, well ... tough. What do you want for free?

If you're really intent on this sort of thing, here are some nearly meaningless benchmarks. Each of these tests were run with a fair number of alert triggers, but no DNS lookups.

Hardware OS Load Speed

150MHz Pentium Linux mild 10Mb/min

300MHz Pentium II NT Workstation none 25Mb/min

400MHz Pentium II Linux none 40Mb/min

Hardware	OS	Load	Speed
150MHz Pentium	Linux	mild	10Mb/min
300MHz Pentium II	NT Workstation	none	25Mb/min
400MHz Pentium II	Linux	none	40Mb/min