Reply inline...

--- saudi sans <saudisans (at) gmail (dot) com [email concealed]> escreveu:
> Hi,
>
> Thanks for the inputs - I have still not concluded.
>
> - Logging Firewall DENIES does not give anything
> relevant. Maybe it
> can give some trending data where.

I don't think there is a consensus that firewall
denies
are not relevant. If you have a properly configured
firewall with a default block policy, the deny logs
will show some interesting stuff (specially from
internal systems). Chris Brenton pointed this out
very well. Extending that beyond firewall logs, if
you have an internal web proxy (like squid), you can
get a broader view of what is going on (from the
denies -- 4xx/5xx and accepts)... I mention some
patterns at the following paper:

http://www.ossec.net/en/loganalysis.html#proxy

> What I should check on Firewall could be
>
> - Changes to rulebase - However this seems
> impossible. People like
> Checkpoint only say a new policy has been installed
> - They donot make
> a log entry what change was made in the rulebase
> before ths install.
>
> I am yet to see any rulebase change logs in
> Firewalls like Netscreen
> and CiscoPix which even captures that a rulebase has
> been installed or
> what has been changed in the rulebase.

I don't know about Netscreen, but PIX logs
configuration changes. Just look at PIX ids from
"111001" to "11100x"...

Hope it helps.

--
Daniel B. Cid (dcid (at) ossec (dot) net [email concealed])
http://www.ossec.net

________________________________________________________________________
____________
Novo Yahoo! Cadê? - Experimente uma nova busca.
http://yahoo.com.br/oqueeuganhocomisso
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]