Firewall Wizards mailing list archives

Re: Reading firewall logs

From: ark () eltex ru
Date: Wed, 3 May 2000 14:57:29 +0400

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

But there is another problem.. If the attacker knows well how your scripts
work he can try to avoid detection by placing "ignore" patterns in
domain names, source ports and so on. So the parser should be written
really good and should not rely on _simple_ regexps and "common" cases.

Bill_Royds () pch gc ca said :

I use Perl scripts to summarize important events. For example I have a script
that looks at all rejected packets, ICMP redirects etc. that firewall sees and
summarizes by source/srcport -> destin/dstport (ICMP type). so that I can
quickly see if certain exploits are being attempted. We get about 500MB of
firewall logs a day (including legitimate usage) so anomaly detection is
impossible by eyeball.
  Perl is probably the most useful log tool followed by Excel or someother
spreadsheet to slice and dice results


                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBORAGFaH/mIJW9LeBAQGWTQP/UsHhxKmsZTVr9l/mtVHub3pk5Jgtar8X
jyOXi1SUTOJ87M9F1ZJd3WR0P9NjgJDn3ergml392irRZnw8cPvhvLupm+R3TxfA
Ru+OzhhsndAr5Q11mhQOojCEoQKmUQJtMmlA/fDNFkdN54gVEi9OnTjGtRmkq0uL
gVaK4NR8EPo=
=8Kwj
-----END PGP SIGNATURE-----

Current thread:

Re: Reading firewall logs Talisker (May 05)
- <Possible follow-ups>
- Re: Reading firewall logs Alex Lim (May 05)
- Re: Reading firewall logs ark (May 05)
- RE: Reading firewall logs SIU Credit Union IS Dept (May 05)
- Re: Reading firewall logs Bill_Royds (May 12)