Re: Reading firewall logs

[Bill Pennington <billp () rocketcash com>]

You can look at Webtrends for Firewall and VPNs. It makes pretty
pictures. I am not that familiar with checkpoint tools/scripts out there
but you should be able to find/write something that cuts through most of
the fluff and gives you the real anomalous activity.

As far as having someone read your logs for a few hours a day that all
depends on your security policy/stance. I read logs everyday but it only
takes me about 30 minutes total. I get fresh log info every 30 minutes
so I am not reading a full days worth at a time. The most I have to read
is about 10 hours worth. I am looking at firewall and IDS logs from 2
locations, one a fairly high trafficked web site. Depending on the
amount of traffic and the amount of break-in attempts your time will
vary. With experience, the person reading the logs will be able to weed
out the script-kiddies from the more "advanced" attempts.

Alex Lim wrote:
> Hi,
>
> I am hoping to hear some enlightening comments on reading firewall logs.
> I am curious if people are actually doing it or is there some kind of
> tools that we can buy off the shelf. I dun think it's productive or
> efficient to ask an employee to spend a few hours reading the logs just
> to look out for anomalies.
>
> Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.
>
> TIA
> Alex Lim

-- 


Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com