[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM
saudi sans (saudisans gmail com)

we have 6 firewalls - 2 of them facing Internet , 4 internal

We are analysing their log using a leading SIM solution

Looking for help in identifying meaningful/actionable reports that we
can get from Firewall log analysis

-- From DENY traffic

-- Currently we take daily reports on - Top 10 attacked ports,Top 10
attacked IPs etc. I am not sure if these Top 10 are meaningful or any
action can be taken using this

-- From ACCEPT/PERMIT traffic
-- I really have no clue on what we can report on this.Top 10 traffic
generators or something

-- Firewall configuration changes

--Currently we are generating daily reports on Changes to rulebase,
changes to firewall objects etc
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus