First off I wanted to take the time to say thank you for putting together a really intuitive product. I’ve recommended GlassWire to tons of friends, colleagues and family. Please keep up the great work!
I wanted to request that exports could be made of the firewall traffic data to a consumable stream either to a flat-file written to disk or even better – a consumable syslog feed that writes straight out onto the NIC on 514. This would make for some nice integration with some pretty popular SIEM tools and maybe keep resource consumption low.
I’d be happy to write and share some parsing rules for Logrhythm, qRadar and maybe some other open source SIEMs if you guys decided to open that box up.
Whoops, forgot – being able to review the traffic from the “usage” tab and add a blocking rule from it would be awesome too.
Thank you for your kind words about GlassWire and thanks for recommending our software to others! We really appreciate your support and it helps us a lot.
Some kind of export feature is a popular request. If we were going to start simple what would you recommend (if there is anything besides what you already recommended above)?
We are working on rules for 2.0 for the firewall tab, and making blocking easier from “usage” is a great idea.
I’d say you guys already have a great set of relevant data showing up in alerts-- start with logging that same output to a flat text file. It shouldn’t be too resource intensive, and it is good information to have as far as SIEM tools are concerned. As GW scales out in features / what it alerts on, so will the value of those logs.
I wouldn’t worry too much about trying to accommodate a certain logging format or particular SIEM. Each SIEM is going to have its own way of wanting X data parsed to Y meta-data field. As long as its well structured and easy to read it’ll be simple to import.
I’d love to pit First Network Activity logs against some of my managed threat-lists. Lots of cool stuff that you can do from there alone.
Value adds, value adds everywhere.
I am in complete agreement with @iconixa. Reading some of the comments and responses on here, I don’t think you guys realise just how useful this tool is already, and what it could become with future improvements. You’re really onto something.
In order to get the best out of this, what you really need to do is develop a centralised, management, monitoring, and logging console. This would allow multiple instances to be managed and monitored from a central point, but crucially, allow the logging to be generated in one place. Format wise, I would just try and create something that makes sense and “flows”, e.g. date/time, source IP, source port, destination IP, destination port, alert ID, alert message. Snort’s format makes a lot of sense instantly, so perhaps have a look at that.
We do have remote monitoring, and you can try it with one PC for free https://www.glasswire.com/userguide/#Remote_Monitoring.
Then we’re still working to add more advanced host based firewall features. Thanks for your feedback and positive comments.