LogAnalysis
[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM
saudi sans (saudisans gmail com) (5 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 28 2007 06:22AM
Ajay Kumar (ajaykumar adventnet com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:04PM
Adrian Grigorof (adi grigorof com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:45PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Several comments ....

Firewalls log more than just accepts and denies and configuration
changes. A lot of them will log DOS attacks, port scans, VPN session
starts and so on. If your SIM can pull those types of logs out, they are
useful as well.

Focusing on accepts and denies is interesting for trending. I think it
is more interesting to look at the IP address in the logs and see if any
of them correlate with publicly or privately available blacklists. I've
blogged about doing this sort of stuff with Tenable's products here:
http://blog.tenablesecurity.com/2006/12/updated_blackli.html Knowing
that your firewall blocked access to a known bad guy is not interesting
to technical folks, but can help justify the firewall (and the SIM) to
managers. Also, if the black lists indicate valid connections then this
is also interesting.

If your SIM can treat the firewall accept events as network connection
events (like a netflow or network session) you can do a wide variety of
NBAD, and connection based analysis. I've blogged how Tenable does this
here. Other SIMs have similar capabilities, but you need to enable
statistical tracking on certain events or assets.

If you can sort the logs by asset group (this is something we tell
Tenable customers to do) then you can start looking for odd hot port
occurances. For example, IP phones will initiate TFTP updates over the
Internet. Most windows workstations or desktops don't unless they are
infected with something.

And lastly, if there is anyway to create a list from your SIM of
internal system that are having Deny rules flagged on the firewall, this
list could be useful to look for mis-configurations, infected systems
and so on.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com

saudi sans wrote:
> Hi
>
> we have 6 firewalls - 2 of them facing Internet , 4 internal
>
> We are analysing their log using a leading SIM solution
>
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
>
>
> -- From DENY traffic
>
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
>
>
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
>
>
> -- Firewall configuration changes
>
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:53PM
Michael Kinsley (michael kinsley sensage com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:44PM
Michael Kinsley (michael kinsley sensage com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:25PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:41PM
David Corlette (dcorlette novell com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:14PM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus