Firewall Wizards mailing list archives
Re: Reading firewall logs
From: ark () eltex ru
Date: Wed, 3 May 2000 14:57:29 +0400
-----BEGIN PGP SIGNED MESSAGE----- nuqneH, But there is another problem.. If the attacker knows well how your scripts work he can try to avoid detection by placing "ignore" patterns in domain names, source ports and so on. So the parser should be written really good and should not rely on _simple_ regexps and "common" cases. Bill_Royds () pch gc ca said :
I use Perl scripts to summarize important events. For example I have a script that looks at all rejected packets, ICMP redirects etc. that firewall sees and summarizes by source/srcport -> destin/dstport (ICMP type). so that I can quickly see if certain exploits are being attempted. We get about 500MB of firewall logs a day (including legitimate usage) so anomaly detection is impossible by eyeball. Perl is probably the most useful log tool followed by Excel or someother spreadsheet to slice and dice results
_ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBORAGFaH/mIJW9LeBAQGWTQP/UsHhxKmsZTVr9l/mtVHub3pk5Jgtar8X jyOXi1SUTOJ87M9F1ZJd3WR0P9NjgJDn3ergml392irRZnw8cPvhvLupm+R3TxfA Ru+OzhhsndAr5Q11mhQOojCEoQKmUQJtMmlA/fDNFkdN54gVEi9OnTjGtRmkq0uL gVaK4NR8EPo= =8Kwj -----END PGP SIGNATURE-----
Current thread:
- Re: Reading firewall logs Talisker (May 05)
- <Possible follow-ups>
- Re: Reading firewall logs Alex Lim (May 05)
- Re: Reading firewall logs ark (May 05)
- RE: Reading firewall logs SIU Credit Union IS Dept (May 05)
- Re: Reading firewall logs Bill_Royds (May 12)