Security Incidents mailing list archives
Re: INCIDENTS Digest - 8 Jun 2000 to 9 Jun 2000 (#2000-109)
From: mhoz () CITI COM MX (Martin H Hoz-Salvador)
Date: Sat, 10 Jun 2000 19:56:16 -0500
Chew Poh Chang (CAPL) wrote:
I am specifically looking for something that lets me focus on the Security incidents in the log (as (initially) shown by Scans). I have other logs that show me attempts against Bind, Syslog, SMTP etc, but the tools for Firewall-1 seem to be focussed towards Mgmt & accounting, not security.
What version of firewall-1 are you using? Check Point 2000 (CP FW-1 ver 4.1 SP1) has the so-called "Malicious Activity Detection" or MAD, which has capabilities to detect the most widely known network-based attacks such as SYN Flood, Network Probes, Land Attack and others. This is not a replacement for an IDS, but it does some of that job. :-) Another thing: The way you configured your FW rules and properties may affect the way you get alerts. Example: Do you have user/session/client authentication? If so, do you have the proper settings to get info for an invalid user logon? Do you use SYN-Defender? :-) Now, the Reporting Module offered by Check Point can automate some of the job. The bad thing: it costs. :-(
I am hoping that someone has a perl script that they already use for this...
Now, you may want to take a look at the Lance's Perl Script described at: http://www.enteract.com/~lspitz/intrusion.html It's nice and it's perl. :-) There are also another versions for that tool which URL's are listed there. Just as a comment. If you have Firewall-1, you may want to take a look of the IDS from ISS (RealSecure) which has good integration with FW-1 and is one of the most used IDS's. Hope this helps. Regards. -- Martin Humberto Hoz Salvador Information Security Consultant (ISS ICU, Check Point CCSE) Corporacion en Investigacion Tecnologica e Informatica, S.A. de C.V. Sendero Sur 285 Col. Contry, Monterrey, Nuevo Leon 64860, MEXICO Phone: +(52)(8) 357-2267 x135 Fax: +(52)(8) 357-8047 E-mail: mhoz () citi com mx WWW: http://www.citi.com.mx PGPKey ID: 0x0454E8D9 ICQ Number: 31631540
Current thread:
- Re: INCIDENTS Digest - 8 Jun 2000 to 9 Jun 2000 (#2000-109) Martin H Hoz-Salvador (Jun 10)