Security Incidents mailing list archives

Re: FW-1 log analysis tool

From: slushie () GTE NET (Kenneth Ish)
Date: Sun, 11 Jun 2000 11:52:08 -0500


What version are you using?  3.0b, 4.0, or CP2000.  CP2000 has this ability
built in (it is in the latest release). It's called the CPMAD which is the
Check Point Malicious Activity Detector.  It can monitor the logs for a
particular behavior and number of conection attempts (IE, if you see 4
attempts to connect to port 135, drop all packets from that IP for the next
hour, permanently, whatever).

You should bother your Sales Rep for information on it.

Also, there is the CADS software (Cyber Attack Defense System).  It can do
all kinds of system montoring and control.  It will also control not only
your firewalls, it will even automatically block and attacker at an upstream
router for DDOS attacks depending on how you configure it.
Here is the Check Point Link for that one:
http://www.checkpoint.com/cyberdefense/index.html

There may be more information available but I do not know where it would be.

Good luck!

Kenneth Ish

----- Original Message -----
From: "Chew Poh Chang (CAPL)" <pcchew () CSAH COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, June 08, 2000 8:27 PM
Subject: FW-1 log analysis tool

Greetings ,
I am looking for a FW-1 log analysis tool.

In particular, I am looking for a tool which highlights the security
incidents from a firewall-1 log, I dont care about bandwidth utilisation,
web site hits, top X sources/destinations (except where this might

indicate

a scan/hack attempt.)

I am specifically looking for something that lets me focus on the Security
incidents in the log (as (initially) shown by Scans). I have other logs
that show me attempts against Bind, Syslog, SMTP etc, but the tools for
Firewall-1 seem to be focussed towards Mgmt & accounting, not security.

I am hoping that someone has a perl script that they already use for

this...


Please note: I am currently receiving over 1,500,000 lines of (already
abridged) logs each day, with an additional 5-10 million lines to come

each

day as soon as I get the log filter working correctly. This number will
just grow over time, and I would not be surprised to be receiving 50-80
million lines per day within 12 months!


Regards,
Chew Poh Chang

Current thread:

Re: Port 6347, (continued)
- - - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)
    - Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
    - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
    - Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
    - scan log Max Gribov (Jun 11)
    - Re: scan log Jason Witty (Jun 12)
    - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)

(Thread continues...)