|
|
LogAnalysis
[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM saudi sans (saudisans gmail com) (5 replies) Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:45PM Ron Gula (rgula tenablesecurity com) (1 replies) Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:53PM Michael Kinsley (michael kinsley sensage com) (1 replies) Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:44PM Michael Kinsley (michael kinsley sensage com) Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:25PM Anton Chuvakin (anton chuvakin org) (1 replies) |
|
Privacy Statement |
based on that discussion:
http://www.eventid.net/firewalls/MostPopularReports.asp
Regards,
Adrian Grigorof
Altair Technologies Ltd.
www.altairtech.ca
www.eventid.net
saudi sans wrote:
> Hi
>
> we have 6 firewalls - 2 of them facing Internet , 4 internal
>
> We are analysing their log using a leading SIM solution
>
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
>
>
> -- From DENY traffic
>
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
>
>
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
>
>
> -- Firewall configuration changes
>
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
>
>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Arial">Actually we went through this
before. Here is a list that I compiled based on that discussion:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.eventid.net/firewalls/MostPopularReports.asp">http://ww
w.eventid.net/firewalls/MostPopularReports.asp</a><br>
</font></font>
<pre class="moz-signature" cols="72">Regards,
Adrian Grigorof
Altair Technologies Ltd.
<a class="moz-txt-link-abbreviated" href="http://www.altairtech.ca">www.altairtech.ca</a>
<a class="moz-txt-link-abbreviated" href="http://www.eventid.net">www.eventid.net</a> </pre>
<br>
<br>
saudi sans wrote:
<blockquote
cite="mid:74fb60700709271045s7ef9c2fdkd50dfeebc37931b1 (at) mail.gmail (dot) com [email concealed]"
type="cite">
<pre wrap="">Hi
we have 6 firewalls - 2 of them facing Internet , 4 internal
We are analysing their log using a leading SIM solution
Looking for help in identifying meaningful/actionable reports that we
can get from Firewall log analysis
-- From DENY traffic
-- Currently we take daily reports on - Top 10 attacked ports,Top 10
attacked IPs etc. I am not sure if these Top 10 are meaningful or any
action can be taken using this
-- From ACCEPT/PERMIT traffic
-- I really have no clue on what we can report on this.Top 10 traffic
generators or something
-- Firewall configuration changes
--Currently we are generating daily reports on Changes to rulebase,
changes to firewall objects etc
_______________________________________________
LogAnalysis mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
>
<a class="moz-txt-link-freetext" href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a>
</pre>
</blockquote>
</body>
</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]