Firewall Wizards mailing list archives
RE: Reading firewall logs -reply
From: Mark.Teicher () predictive com
Date: Fri, 28 Apr 2000 10:37:36 -0400
At one time or another, some of us on this list, that is all they did for a number of years. Crafting PERL scripts, utilizing gawk,awk,sed, etc as Tom mentions are some ways of reducing the time of looking through log files, but in order to craft particular scripts, an administrator should be familiar enough with the daily, weekly, monthly, and yearly events that have been observed in the various log files one has accumulated. Pattern matching, correlating events is one of the fundamental traits of a "some what" good firewall administrator. Note, I wrote firewall administrator not firewall architect or firewall implementation engineer. A firewall administrator is someone who maintains the system on a daily basis, checks for anomalies etc. Once a firewall administraotr is familiar enough with the daily, weekly, monthly activities of the organization, then one can start building the correlation event table, and discard activity deemed as normal, which assist in crafting the scripts mentioned by Tom. If one does not spend the time or relies on tools that are not fully baked or bug free. Please refer to Bellovin and Cheswick "Firewalls and Internet Security", the chapter on "An Evening with Bereford" or "The Cuckoo's Egg" for some insight on anomalies and the vigil to cull through log files religiously on a daily basis. /mark "Litney, Tom" <TLitney () caiso com> Sent by: owner-firewall-wizards () lists nfr net 04/26/00 03:33 PM Please respond to "Litney, Tom" To: "'Alex Lim'" <mwlalex () magix com sg>, "'fwz'" <firewall-wizards () nfr net> cc: Subject: RE: [fw-wiz] Reading firewall logs Hi Alex, Is this a troll? You're asking a list of security people the value of reviewing firewall logs (or any system logs for that matter)? Of course it is very important and yes there are products on the market that may help you do this (e.g. WEBTRENDS). I happen to like good old fashion shell scripts with the liberal use of grep -v. The idea being throw away everything that you don't need to see and don't care about leaving the stuff a human security eye needs to check. Of course you can use PERL or your language De Jour. It shouldn't take a few hours to review firewall logs after this type of processing. It only takes me about 15 minutes max per firewall (sometimes the follow up on incidents can take a bit longer :-) ). Tom -----Original Message----- From: Alex Lim [mailto:mwlalex () magix com sg] Sent: Tuesday, April 25, 2000 8:22 PM To: fwz Subject: [fw-wiz] Reading firewall logs Hi, I am hoping to hear some enlightening comments on reading firewall logs. I am curious if people are actually doing it or is there some kind of tools that we can buy off the shelf. I dun think it's productive or efficient to ask an employee to spend a few hours reading the logs just to look out for anomalies. Anyone care to comment ? BTW I am referring to the Checkpoint FW-1 logs. TIA Alex Lim
Current thread:
- Reading firewall logs Alex Lim (Apr 26)
- Re: Reading firewall logs Bill Pennington (Apr 27)
- Re: Reading firewall logs Lance Spitzner (Apr 27)
- RE: Reading firewall logs Andrew Helm-Cowley (Apr 27)
- Re: Reading firewall logs Jim Seymour (Apr 27)
- Re: Reading firewall logs Dominik Miklaszewski (Apr 28)
- <Possible follow-ups>
- RE: Reading firewall logs Litney, Tom (Apr 27)
- Re: Reading firewall logs ark (Apr 27)
- Re: Reading firewall logs Bill_Royds (Apr 28)
- RE: Reading firewall logs -reply Mark . Teicher (Apr 28)