On Sun, 2007-05-27 at 17:02 -0400, Marcus J. Ranum wrote:
> Paul Melson wrote:
> >Logging 'deny' messages and not 'accept' messages from a firewall is,
> >in my opinion, a very outdated way of looking at firewall log data.
>
> Minor nit - I think you meant to write "stupid" not "outdated."
> As far back as I can remember (and that's a long way!) some of
> us have been saying that permit log entries are more important
> than deny. In fact, the first codebase of my first firewall didn't even
> bother logging denys because, at the time I felt that a deny log
> message only meant "the firewall is working."

I agree that permits are usually more important, but don't completely
discount the denies. For example given a properly configured rule set, a
desktop system attempting outbound TFTP, SMTP, IRC, Type 11 code 0, etc.
could still be "interesting" as it may very well indicate an internal
system has been owned. Even if the traffic is not passed, you would
still want a heads up to address the system.

HTH,
Chris

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]