Firewall Wizards mailing list archives
Re: Log checking?
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 30 Sep 2004 23:23:10 +0530
On 28/09/04 16:05 -0400, Paul D. Robertson wrote:
Back when I had real production firewalls, I'd log all the permitted traffic for a while, then do some analysis of the data to get a feel for things like tunnels, misbehaving users, etc. I've always felt that worrying about denied traffic was mostly for sport- if the firewall's policy blocked it, I wasn't all that worried about much more than overall trends- what got *through* the firewall seemed to be the more interesting set of things. I'm just wondering if the subset of folks who actually look at their firewalls mostly looks at denied traffic only, or if it's a common practice to look at the permitted stuff too? If so, what sorts of things are you using, and are you finding anything interesting?
Back when I was actually permitted to look at outbound traffic for non diagnostic purposes, I found it useful to look more at the non denied traffic than that which was denied. I wasn't really bothered with outbound traffic at that time (given that I could see all the desktops directly), but I was logging some inbound traffic. For HTTP and FTP, I was analysing squid logs with custom Perl scripts. For SMTP, the mail gateway logs. Lots of deny rules were generated from this analysis (port 25 blocks on the edge routers allowing only the official MTAs to go through generated quite a bit of logging too). At that time, tunneling was not as popular and/or easy to the general user population, so that was not a big worry. Overall traffic analysis was via ntop. Since I was not logging NetBIOS traffic (it just filled up the logs), ntop was useful in logging that information as well. A spike in netbios traffic indicated interesting events, for Chinese values of interesting. A bit of SNMP helped as well in judging overall traffic volumes by looking at the relevant switch ports (MRTG graphs). At that point of time, I voiced the view that denied traffic was mostly uninteresting and was roundly lambasted for it. If I had to do it today, I would be worrying more about tunneling as well, but proxies with connect support compiled out are quite useful in stopping *that*. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Log checking? Paul D. Robertson (Sep 28)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Desai, Ashish (Sep 28)
- Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Ben Nagy (Sep 30)
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Paul D. Robertson (Sep 28)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)