Firewall Wizards mailing list archives
Re: WebTrends Alternative
From: "daN." <dan () nesmail com>
Date: Sun, 12 Dec 1999 09:13:55 -0800
At 08:08 PM 11/24/99 -0500, Siglite wrote:
That's what I was thinking as well. Push from the firewall out to an SQL box somewhere. Where would be dictated by security / risk / policy. The only
way I
can think of to do this, is a C executable run by cron (or 'at' in the
case of
NT) that would launch on user-defined intervals and push the data out.
The fun
part is writing the executable that will open the sockets to the SQL boxes
and
push the data across in the proper formats. Not being a big C guru, this
would
probably take me about half of forever to accomplish. My forte would be more towards the front end of things. Creating the reporting in ASP or CGI on the webserver.
Why not send it across your DMZ with scp(an ssh file transfer protocol)? I run a cron job every hour that push firewall and My Intrusion detection system logs to a central Log repository and analysis station. You definately want to push the data out at regular intervals if you are moving it through the DMZ, otherwise an attentive hacker can tell what your rule sets are by when you send and don't send data. Run an scp transfer in a cron job every hour, then another cron job at the other end that puts the data into your SQL database (I use mySQL, but I have only a couple hundered thousand records) this way you don't need a second NIC (which is a pain if you have a dozen firewalls at diffrent locations) and you don't need and big or complexe coded solution. Check out the script fetchem.pl from the Shadow Tarball for a greate example of moving logs from one machine to another (if you haven't looked at shadow yet as a secondary IDS you should it's a greate and free set of scripts for looking at IP Headers). Dan Steele Network Administrator WestNet Management Corp.
Current thread:
- Re: WebTrends Alternative Josh Robb (Dec 06)
- <Possible follow-ups>
- Re: WebTrends Alternative daN. (Dec 13)