Firewall Wizards mailing list archives

Re: Reading firewall logs

From: Bill_Royds () pch gc ca
Date: Sat, 6 May 2000 12:04:30 -0400

My scripts depend on the firewall stopping the connect attempts since, as you
say, it almost impossible to separate wheat from chaff on allowed connections.
Thus it is really a summary of rejected connect attempts to better understand
them. Knowing that port x is being tried from IP a.b.c.d a lot, may help uncover
new exploit attempts, even if they are rejected by firewall or it might just
mean a service that we are blocking that a lot of clients need and we should be
looking at a proxy.
  But that is what security is about. Enabling your clients to to their job
while minimizing the risks as much as possible.




ark () eltex ru on 2000/05/03 06:57:29

Please respond to ark () eltex ru
                                                              
                                                              
                                                              
 To:      Bill Royds/HullOttawa/PCH/CA@PCH                    
                                                              
 cc:      jseymour () LinxNet com, mwlalex () magix com sg,         
          firewall-wizards () nfr net                            
                                                              
                                                              
                                                              
 Subject: Re: [fw-wiz] Reading firewall logs                  
                                                              





-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

But there is another problem.. If the attacker knows well how your scripts
work he can try to avoid detection by placing "ignore" patterns in
domain names, source ports and so on. So the parser should be written
really good and should not rely on _simple_ regexps and "common" cases.

Bill_Royds () pch gc ca said :

I use Perl scripts to summarize important events. For example I have a script
that looks at all rejected packets, ICMP redirects etc. that firewall sees and
summarizes by source/srcport -> destin/dstport (ICMP type). so that I can
quickly see if certain exploits are being attempted. We get about 500MB of
firewall logs a day (including legitimate usage) so anomaly detection is
impossible by eyeball.
  Perl is probably the most useful log tool followed by Excel or someother
spreadsheet to slice and dice results


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBORAGFaH/mIJW9LeBAQGWTQP/UsHhxKmsZTVr9l/mtVHub3pk5Jgtar8X
jyOXi1SUTOJ87M9F1ZJd3WR0P9NjgJDn3ergml392irRZnw8cPvhvLupm+R3TxfA
Ru+OzhhsndAr5Q11mhQOojCEoQKmUQJtMmlA/fDNFkdN54gVEi9OnTjGtRmkq0uL
gVaK4NR8EPo=
=8Kwj
-----END PGP SIGNATURE-----

Current thread:

Re: Reading firewall logs Talisker (May 05)
- <Possible follow-ups>
- Re: Reading firewall logs Alex Lim (May 05)
- Re: Reading firewall logs ark (May 05)
- RE: Reading firewall logs SIU Credit Union IS Dept (May 05)
- Re: Reading firewall logs Bill_Royds (May 12)