Re: traffic analysis

[Mikael Olsson <mikael.olsson () clavister com>]

Loxat White wrote:
> Hi all,
> i am looking for a log analysis tool, i need to
> extarct the source and the destenation info. from log
> file collected by syslog program from a firewall,
> the analysis will help me in detecting what policies i
> should keep put in the firewall.
> thanks
> Faisal

Easy. Take a quick look at your logs and you'll see the
majority of the traffic being HTTP. So we write down
on a piece of paper "allow HTTP", and filter the logs:

cat logs | grep -e "ipproto=TCP.*destport=80\b" > logs2
cat logs2

Now we get another set, where some other protocol is
the majority. Let's assume DNS. So we write down 
"allow DNS", and filter the logs:

cat logs2 | grep -e "ipproto=UDP.*destport=53\b" > logs3
cat logs3 

Now we get another set, where the majority is port 412.
Uh oh. That's peer-to-peer. We don't want to allow that.
Just filter it out for now.

cat logs3 | grep -e "ipproto=TCP.*destport=412\b" > logs4
cat logs4

Lather, rinse, repeat...

Sooner or later the remainder of the log file will be
very small, and likely only contain things you don't
want to allow. Your white-list ruleset is done; drop 
the rest.

The example greps obviously need to be adapted for
your particular log format.  It would have helped
if you had said what firewall you're using; it's
not like they all use the same log format.


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards