Firewall Wizards mailing list archives
Re: traffic analysis
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Wed, 28 May 2003 21:23:37 +0200
Loxat White wrote:
Hi all, i am looking for a log analysis tool, i need to extarct the source and the destenation info. from log file collected by syslog program from a firewall, the analysis will help me in detecting what policies i should keep put in the firewall. thanks Faisal
Easy. Take a quick look at your logs and you'll see the majority of the traffic being HTTP. So we write down on a piece of paper "allow HTTP", and filter the logs: cat logs | grep -e "ipproto=TCP.*destport=80\b" > logs2 cat logs2 Now we get another set, where some other protocol is the majority. Let's assume DNS. So we write down "allow DNS", and filter the logs: cat logs2 | grep -e "ipproto=UDP.*destport=53\b" > logs3 cat logs3 Now we get another set, where the majority is port 412. Uh oh. That's peer-to-peer. We don't want to allow that. Just filter it out for now. cat logs3 | grep -e "ipproto=TCP.*destport=412\b" > logs4 cat logs4 Lather, rinse, repeat... Sooner or later the remainder of the log file will be very small, and likely only contain things you don't want to allow. Your white-list ruleset is done; drop the rest. The example greps obviously need to be adapted for your particular log format. It would have helped if you had said what firewall you're using; it's not like they all use the same log format. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- traffic analysis Loxat White (May 28)
- Re: traffic analysis Mikael Olsson (May 28)
- Re: traffic analysis R. DuFresne (May 28)
- Re: traffic analysis Vladimir Parkhaev (May 29)
- Re: traffic analysis Jim Seymour (May 30)
- Re: traffic analysis Bill Royds (May 29)
- Re: traffic analysis Mikael Olsson (May 29)
- Re: traffic analysis Christopher Hicks (May 29)
- Re: traffic analysis Vladimir Parkhaev (May 29)
- Re: traffic analysis Rama krishna prasad (May 29)
- <Possible follow-ups>
- RE: traffic analysis michelle drolet (May 29)