Re: Reading firewall logs

[jseymour () LinxNet com (Jim Seymour)]

Alex Lim <mwlalex () magix com sg> wrote:
> Hi,
>
> I am hoping to hear some enlightening comments on reading firewall logs.
> I am curious if people are actually doing it or is there some kind of
> tools that we can buy off the shelf. 

The problem with automated log analysis is that over-summarization can
cause to be lost important details.  So it must be done carefully.

The approach I've developed after lo these many years is to write Perl
scripts (mostly) to summarize those things that can safely be
summarized, sort/order those things that can safely be sorted/ordered
(e.g.: by date/time, source/destination address/port, etc.) and discard
those things that I *know for a fact* can *safely* be discarded.  The
rest gets emitted in a (mostly) raw form.

I write the regex tests for raw logfile lines to be *very* specific.
And cause to be emitted as "what's this?" any line that is not known.
I tune the script, as time goes on and new "unknowns" are discovered,
to handle these things.

>                                      I dun think it's productive or
> efficient to ask an employee to spend a few hours reading the logs just
> to look out for anomalies. 

IMO, this is potentially as bad as--maybe can be even worse than--a
log analyzer/summarizer that "over does" the job.  In logfiles with
even hundreds of lines - not-to-mention *thousands* - reader fatigue is
*bound* to result in something important--or perhaps an important
pattern--being missed.

> Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.

Can't help you with that.  I use Gauntlet (with which I haven't done
all that much in custom log analysis) and T.REX.


Regards,
Jim
-- 
Jim Seymour                  | PGP Public Key available at:
jseymour () LinxNet com         | http://www.cam.ac.uk.pgp.net/pgpnet/wwwkeys.html
http://home.msen.com/~jimsun | http://www.trustcenter.de/cgi-bin/SearchCert.cgi