Security Incidents mailing list archives
Re: FW-1 log analysis tool
From: slushie () GTE NET (Kenneth Ish)
Date: Sun, 11 Jun 2000 11:52:08 -0500
What version are you using? 3.0b, 4.0, or CP2000. CP2000 has this ability built in (it is in the latest release). It's called the CPMAD which is the Check Point Malicious Activity Detector. It can monitor the logs for a particular behavior and number of conection attempts (IE, if you see 4 attempts to connect to port 135, drop all packets from that IP for the next hour, permanently, whatever). You should bother your Sales Rep for information on it. Also, there is the CADS software (Cyber Attack Defense System). It can do all kinds of system montoring and control. It will also control not only your firewalls, it will even automatically block and attacker at an upstream router for DDOS attacks depending on how you configure it. Here is the Check Point Link for that one: http://www.checkpoint.com/cyberdefense/index.html There may be more information available but I do not know where it would be. Good luck! Kenneth Ish ----- Original Message ----- From: "Chew Poh Chang (CAPL)" <pcchew () CSAH COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, June 08, 2000 8:27 PM Subject: FW-1 log analysis tool
Greetings , I am looking for a FW-1 log analysis tool. In particular, I am looking for a tool which highlights the security incidents from a firewall-1 log, I dont care about bandwidth utilisation, web site hits, top X sources/destinations (except where this might
indicate
a scan/hack attempt.) I am specifically looking for something that lets me focus on the Security incidents in the log (as (initially) shown by Scans). I have other logs that show me attempts against Bind, Syslog, SMTP etc, but the tools for Firewall-1 seem to be focussed towards Mgmt & accounting, not security. I am hoping that someone has a perl script that they already use for
this...
Please note: I am currently receiving over 1,500,000 lines of (already abridged) logs each day, with an additional 5-10 million lines to come
each
day as soon as I get the log filter working correctly. This number will just grow over time, and I would not be surprised to be receiving 50-80 million lines per day within 12 months! Regards, Chew Poh Chang
Current thread:
- Re: Port 6347, (continued)
- Re: Port 6347 Henry F. Marquardt (Jun 09)
- Re: What is this guy doing? Greg A. Woods (Jun 08)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)