Firewall Wizards mailing list archives
RE: Log checking?
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 29 Sep 2004 11:58:13 +0200
I think there is some mileage to be had in logging the volume of denied outbound traffic over time. Spikes in things like IRC, HTTP to funny ports, TFTP etc can be great indicators of infection with various kinds of malware. And of course all that stuff would already be blocked outbound, right? ;) I was just talking to a customer about ten minutes ago who identified a new agobot variant that way. I would agree that logging denied inbound is good for nothing but wasting disk space and the occasional chuckle, unless you are interested in helping people like ISC graph global attack trends. I think that there are even some commercial systems that do this for a living, but I don't know very much about them. Cheers, ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking?, (continued)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 30)