RE: Reading firewall logs -reply

[Mark.Teicher () predictive com]

At one time or another, some of us on this list, that is all they did for 
a number of years.  Crafting PERL scripts, utilizing gawk,awk,sed, etc as 
Tom mentions are some ways of reducing the time of looking through log 
files, but in order to craft particular scripts, an administrator should 
be familiar enough with the daily, weekly, monthly, and yearly events that 
have been observed in the various log files one has accumulated.  Pattern 
matching, correlating events is one of the fundamental traits of a "some 
what" good firewall administrator.  Note, I wrote firewall administrator 
not firewall architect or firewall implementation engineer.  A firewall 
administrator is someone who maintains the system on a daily basis, checks 
for anomalies etc.

Once a firewall administraotr is familiar enough with the daily, weekly, 
monthly activities of the organization, then one can start building the 
correlation event table, and discard activity deemed as normal, which 
assist in crafting the scripts mentioned by Tom.  If one does not spend 
the time or relies on tools that are not fully baked or bug free.  Please 
refer to Bellovin and Cheswick "Firewalls and Internet Security", the 
chapter on "An Evening with Bereford" or "The Cuckoo's Egg" for some 
insight on anomalies and the vigil to cull through log files religiously 
on a daily basis.


/mark





"Litney, Tom" <TLitney () caiso com>
Sent by: owner-firewall-wizards () lists nfr net
04/26/00 03:33 PM
Please respond to "Litney, Tom"

 
        To:     "'Alex Lim'" <mwlalex () magix com sg>, "'fwz'" <firewall-wizards () nfr net>
        cc: 
        Subject:        RE: [fw-wiz] Reading firewall logs


Hi Alex,

  Is this a troll?  You're asking a list of security people the value of
reviewing firewall logs (or any system logs for that matter)?  Of course 
it
is very important and yes there are products on the market that may help 
you
do this (e.g. WEBTRENDS).  I happen to like good old fashion shell scripts
with the liberal use of grep -v.  The idea being throw away everything 
that
you don't need to see and don't care about leaving the stuff a human
security eye needs to check.  Of course you can use PERL or your language 
De
Jour.  It shouldn't take a few hours to review firewall logs after this 
type
of processing.  It only takes me about 15 minutes max per firewall
(sometimes the follow up on incidents can take a bit longer :-) ).

   Tom

-----Original Message-----
From: Alex Lim [mailto:mwlalex () magix com sg]
Sent: Tuesday, April 25, 2000 8:22 PM
To: fwz
Subject: [fw-wiz] Reading firewall logs


Hi,

I am hoping to hear some enlightening comments on reading firewall logs.
I am curious if people are actually doing it or is there some kind of
tools that we can buy off the shelf. I dun think it's productive or
efficient to ask an employee to spend a few hours reading the logs just
to look out for anomalies.

Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs.

TIA
Alex Lim