RE: Syslog montioring and usage.

["Chad Thomsen" <chad.thomsen () bramespecialty com>]

Bingo!!  Wes you hit the nail on the head.  That is what I was looking
for. Thanks to all who posted as I have learned more then I intended on.
I plan on setting up snort with snortsam in the future after I get some
current projects done.  Hopefully I can put a snort box behind and in
front of the pix so I can see how well it is doing.  

Thanks,

Chad Thomsen, MCSE, CCNA
Network Administrator


-----Original Message-----
From: Wes Noonan [mailto:mailinglists () wjnconsulting com] 
Sent: Friday, July 16, 2004 1:21 PM
To: 'Melson, Paul'; 'Chad Thomsen'; firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Syslog montioring and usage.

When I wrote the chapter on syslog for my book (actually it is part of
the
network management chapter, but I digress) I finally got around to
putting
together a list of PIX syslog messages that IMO deserve "special"
recognition. I've never really found a good resource that says "monitor
these messages" and I figured if I wanted a list I might as well make it
myself. Anyway, I put that list out on my website under the whitepapers
section. The direct link is here:

http://www.wjnconsulting.com/WJNConsulting/Whitepapers/syslog.htm

HTH

Oh, and if anyone comes across other messages that should be added,
please
let me know and I will update the website accordingly. Thanks.

Wes Noonan
mailinglists () wjnconsulting com  
http://www.wjnconsulting.com  
Hardening Network Infrastructure - A concise how to guide
Available Now
Order at http://tinyurl.com/53pp6 


> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-
> admin () honor icsalabs com] On Behalf Of Melson, Paul
> Sent: Wednesday, July 14, 2004 08:00
> To: Chad Thomsen; firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Syslog montioring and usage.
>
> Cisco publishes the definitions of all of the syslog messages that can
> be generated by a PIX firewall:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
> syslog/index.htm
>
> As far as the 'IDS' syslog messages that it generates, keep in mind
that
> the PIX is only capable of "atomic" checks, meaning that it only
alerts
> on the behavior of a single packet.  Aside from some older DoS attacks
> and certain types of stealth port scans, the PIX is useless as an IDS.
>
> PaulM
>
> PS - If you want to see everything the PIX can to the syslog server,
> make sure 'logging console debugging' is set in the config.  Of
course,
> on a busy firewall, this can lead to ~300MB/day in log files, so it
may
> only be useful for a short period of time or when used in conjunction
> with automated log analysis software.
>
>
> > -----Original Message-----
> > I am trying to learn the ins and outs of using Syslog.  I am
> > at my second job where I have installed and configure another
> > Pix, but have never really got into Syslog.  I am currently
> > using KIWI syslog daemon. I would like to better find out
> > what the messages mean, and how to track down port scans, and
> > other security related issues that syslog may reveal. To sum
> > it up I want to be able to have a good understanding of a log
> > file that comes form a Pix.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards