git.compounddata.com > llmgentools > linux-firewall-log-analyser/plan.md
homepage: https://compounddata.com/notes/llm-generated-single-page-tools
git clone: https://git.compounddata.com/llmgentools
summary history files
linux-firewall-log-analyser/plan.md

Linux Firewall Log Analyser

Goal

Build a single-page web application that parses Linux netfilter (iptables/nftables) kernel logs and generates comprehensive security reports. The application will accept log data via file upload or direct paste, parse netfilter entries containing kernel uptime timestamps, actions (IN, DROP, FWD, OUT), network interfaces, MAC addresses, source/destination IPs (IPv4 and IPv6), ports, protocols, and TCP flags.

The tool will aggregate netfilter data to identify patterns such as port scanning attempts, top attacking IPs, most targeted ports, temporal distribution of blocked traffic, and protocol distributions. Output will be presented through summary statistics, sortable data tables, and visual charts to help system administrators quickly assess security events and network anomalies without requiring command-line tools.

Requirements

MUST Implement

  • Parse standard netfilter kernel log format produced by iptables/nftables LOG target
  • Handle kernel uptime timestamps [seconds.microseconds] format, not wall-clock time
  • Parse netfilter actions: IN (incoming accepted), DROP (blocked by rule), FWD (forwarded through), OUT (outgoing), with optional INVALID state prefix
  • Parse all netfilter key-value pairs: IN=, OUT=, MAC=, SRC=, DST=, LEN=, TOS=, PREC=, TTL=/HOPLIMIT=, ID=/FLOWLBL=, DF (Don't Fragment flag), PROTO=, SPT=, DPT=, WINDOW=, RES=, and TCP flags (SYN, ACK, FIN, PSH, RST, URG)
  • Handle both IPv4 and IPv6 netfilter formats (IPv6 uses TC, HOPLIMIT, FLOWLBL instead of TOS, TTL, ID)
  • Accept log input via text area paste and file upload (.log, .txt files)
  • Generate summary statistics: total events, event counts by netfilter action, unique source IPs, unique destination ports, temporal range
  • Identify and flag potential port scans (multiple destination ports from single source in short time window)
  • Display top 10 source IPs by event count
  • Display top 10 destination ports targeted
  • Show chronological event timeline with filtering by netfilter action type
  • Export generated report as static HTML file containing all analysis results
  • Single-file application: all HTML, CSS, and JavaScript contained in one .html file
  • No external dependencies (pure vanilla JavaScript, SVG/CSS for charts)

SHOULD Implement

  • Real-time filtering of displayed results by date range (kernel uptime range), IP subnet, or port number
  • Severity scoring heuristic (SYN floods, multiple DROP events from single source)
  • Search functionality across raw netfilter log lines
  • Dark/light mode toggle for usability

Research

Netfilter Log Format Confirmation

The provided logs are confirmed netfilter messages from the Linux kernel's packet filtering framework. Netfilter is the kernel framework that enables packet filtering, network address translation (NAT), and packet logging. Iptables and nftables are userspace tools that configure netfilter rules; they do not perform logging themselves. When the LOG target is used in iptables/nftables rules, netfilter generates these kernel messages via the klogd/syslog interface.

Format pattern: