Re: Reading firewall logs

[Lance Spitzner <lance () spitzner net>]

On Wed, 26 Apr 2000, Alex Lim wrote:

> I am hoping to hear some enlightening comments on reading firewall logs.
> I am curious if people are actually doing it or is there some kind of
> tools that we can buy off the shelf. I dun think it's productive or
> efficient to ask an employee to spend a few hours reading the logs just
> to look out for anomalies. 
>
> Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.

I've customized FW-1 logs to alert me whenever I need to review my logs
for specific envents, such as when my network is probed or unauthorized
events happen.  These alerts tell me that somthing odd is happening and
that I need to review the logs in greater detail.  This saves me the time
of having to manually look through the log file for the specific events.

http://www.enteract.com/~lspitz/intrusion.html

Hope that helps :)
 

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html