Firewall Wizards mailing list archives
RE: Syslog montioring and usage.
From: "Chad Thomsen" <chad.thomsen () bramespecialty com>
Date: Fri, 16 Jul 2004 14:05:00 -0400
Bingo!! Wes you hit the nail on the head. That is what I was looking for. Thanks to all who posted as I have learned more then I intended on. I plan on setting up snort with snortsam in the future after I get some current projects done. Hopefully I can put a snort box behind and in front of the pix so I can see how well it is doing. Thanks, Chad Thomsen, MCSE, CCNA Network Administrator -----Original Message----- From: Wes Noonan [mailto:mailinglists () wjnconsulting com] Sent: Friday, July 16, 2004 1:21 PM To: 'Melson, Paul'; 'Chad Thomsen'; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Syslog montioring and usage. When I wrote the chapter on syslog for my book (actually it is part of the network management chapter, but I digress) I finally got around to putting together a list of PIX syslog messages that IMO deserve "special" recognition. I've never really found a good resource that says "monitor these messages" and I figured if I wanted a list I might as well make it myself. Anyway, I put that list out on my website under the whitepapers section. The direct link is here: http://www.wjnconsulting.com/WJNConsulting/Whitepapers/syslog.htm HTH Oh, and if anyone comes across other messages that should be added, please let me know and I will update the website accordingly. Thanks. Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com Hardening Network Infrastructure - A concise how to guide Available Now Order at http://tinyurl.com/53pp6
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-
admin () honor icsalabs com] On Behalf Of Melson, Paul Sent: Wednesday, July 14, 2004 08:00 To: Chad Thomsen; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Syslog montioring and usage. Cisco publishes the definitions of all of the syslog messages that can be generated by a PIX firewall:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63
syslog/index.htm As far as the 'IDS' syslog messages that it generates, keep in mind
that
the PIX is only capable of "atomic" checks, meaning that it only
alerts
on the behavior of a single packet. Aside from some older DoS attacks and certain types of stealth port scans, the PIX is useless as an IDS. PaulM PS - If you want to see everything the PIX can to the syslog server, make sure 'logging console debugging' is set in the config. Of
course,
on a busy firewall, this can lead to ~300MB/day in log files, so it
may
only be useful for a short period of time or when used in conjunction with automated log analysis software.-----Original Message----- I am trying to learn the ins and outs of using Syslog. I am at my second job where I have installed and configure another Pix, but have never really got into Syslog. I am currently using KIWI syslog daemon. I would like to better find out what the messages mean, and how to track down port scans, and other security related issues that syslog may reveal. To sum it up I want to be able to have a good understanding of a log file that comes form a Pix._______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Syslog montioring and usage., (continued)
- Re: Syslog montioring and usage. Chris Todd (Jul 15)
- Re: Syslog montioring and usage. Marcus J. Ranum (Jul 15)
- Re: Syslog montioring and usage. Josh Welch (Jul 15)
- Re: Syslog montioring and usage. Greg Skouby (Jul 15)
- Traffic generating tool survey David Lang (Jul 19)
- RE: Traffic generating tool survey lordchariot (Jul 19)
- Traffic generating tool survey David Lang (Jul 19)
- Re: Syslog montioring and usage. Ng Pheng Siong (Jul 15)
- Re: Syslog montioring and usage. Adrian Grigorof (Jul 19)
- RE: Syslog montioring and usage. Melson, Paul (Jul 15)
- RE: Syslog montioring and usage. Wes Noonan (Jul 19)
- RE: Syslog montioring and usage. Chad Thomsen (Jul 19)
- RE: Syslog montioring and usage. Wes Noonan (Jul 19)
- Re: Syslog montioring and usage. Roger Marquis (Jul 19)
- Re: Syslog montioring and usage. Brian Ford (Jul 19)