LogAnalysis
[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM
saudi sans (saudisans gmail com) (5 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 28 2007 06:22AM
Ajay Kumar (ajaykumar adventnet com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:04PM
Adrian Grigorof (adi grigorof com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:45PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:53PM
Michael Kinsley (michael kinsley sensage com) (1 replies)
Also might I suggest using GeoIP? One of the requests I receive
fairly often is to identify requests either leaving the country of
origin or going to a particular country. A quick search on CPAN for
GeoIP should get you to the right place.

If you have competitors it is also reasonable to look for inbound/
outbound connections from/to them. Although this won't catch people
who go out of their way to avoid detections, its a nice metric to
have handy... and I find most people still treat web browsing as if
it were an anonymous activity.

good luck.

-Michael

On Sep 27, 2007, at 11:45 AM, Ron Gula wrote:

> Several comments ....
>
> Firewalls log more than just accepts and denies and configuration
> changes. A lot of them will log DOS attacks, port scans, VPN session
> starts and so on. If your SIM can pull those types of logs out,
> they are
> useful as well.
>
> Focusing on accepts and denies is interesting for trending. I think it
> is more interesting to look at the IP address in the logs and see
> if any
> of them correlate with publicly or privately available blacklists.
> I've
> blogged about doing this sort of stuff with Tenable's products here:
> http://blog.tenablesecurity.com/2006/12/updated_blackli.html Knowing
> that your firewall blocked access to a known bad guy is not
> interesting
> to technical folks, but can help justify the firewall (and the SIM) to
> managers. Also, if the black lists indicate valid connections then
> this
> is also interesting.
>
> If your SIM can treat the firewall accept events as network connection
> events (like a netflow or network session) you can do a wide
> variety of
> NBAD, and connection based analysis. I've blogged how Tenable does
> this
> here. Other SIMs have similar capabilities, but you need to enable
> statistical tracking on certain events or assets.
>
> If you can sort the logs by asset group (this is something we tell
> Tenable customers to do) then you can start looking for odd hot port
> occurances. For example, IP phones will initiate TFTP updates over the
> Internet. Most windows workstations or desktops don't unless they are
> infected with something.
>
> And lastly, if there is anyway to create a list from your SIM of
> internal system that are having Deny rules flagged on the firewall,
> this
> list could be useful to look for mis-configurations, infected systems
> and so on.
>
> Ron Gula, CTO
> Tenable Network Security
> http://www.tenablesecurity.com
>
>
>
>
> saudi sans wrote:
> > Hi
> >
> > we have 6 firewalls - 2 of them facing Internet , 4 internal
> >
> > We are analysing their log using a leading SIM solution
> >
> > Looking for help in identifying meaningful/actionable reports
> that we
> > can get from Firewall log analysis
> >
> >
> > -- From DENY traffic
> >
> > -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> > attacked IPs etc. I am not sure if these Top 10 are meaningful or
> any
> > action can be taken using this
> >
> >
> > -- From ACCEPT/PERMIT traffic
> > -- I really have no clue on what we can report on this.Top 10
> traffic
> > generators or something
> >
> >
> > -- Firewall configuration changes
> >
> > --Currently we are generating daily reports on Changes to rulebase,
> > changes to firewall objects etc
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis (at) loganalysis (dot) org [email concealed]
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> >
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Also might I suggest using GeoIP? One of the requests I receive fairly often is to identify requests either leaving the country of origin or going to a particular country.  A quick search on CPAN for GeoIP should get you to the right place.<DIV><BR class="khtml-block-placeholder"></DIV><DIV>If you have competitors it is also reasonable to look for inbound/outbound connections from/to them. Although this won't catch people who go out of their way to avoid detections, its a nice metric to have handy... and I find most people still treat web browsing as if it were an anonymous activity.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>good luck.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>-Michael</DIV><DIV><BR class="khtml-block-placeholder"><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On Sep 27, 2007, at 11:45 AM, Ron Gula wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"> <P><FONT size="2">Several comments ....<BR> <BR> Firewalls log more than just accepts and denies and configuration<BR> changes. A lot of them will log DOS attacks, port scans, VPN session<BR> starts and so on. If your SIM can pull those types of logs out, they are<BR> useful as well.<BR> <BR> Focusing on accepts and denies is interesting for trending. I think it<BR> is more interesting to look at the IP address in the logs and see if any<BR> of them correlate with publicly or privately available blacklists. I've<BR> blogged about doing this sort of stuff with Tenable's products here:<BR> <A href="http://blog.tenablesecurity.com/2006/12/updated_blackli.html">http
://blog.tenablesecurity.com/2006/12/updated_blackli.html</A>  Knowing<BR> that your firewall blocked access to a known bad guy is not interesting<BR> to technical folks, but can help justify the firewall (and the SIM) to<BR> managers. Also, if the black lists indicate valid connections then this<BR> is also interesting.<BR> <BR> If your SIM can treat the firewall accept events as network connection<BR> events (like a netflow or network session) you can do a wide variety of<BR> NBAD, and connection based analysis. I've blogged how Tenable does this<BR> here. Other SIMs have similar capabilities, but you need to enable<BR> statistical tracking on certain events or assets.<BR> <BR> If you can sort the logs by asset group (this is something we tell<BR> Tenable customers to do) then you can start looking for odd hot port<BR> occurances. For example, IP phones will initiate TFTP updates over the<BR> Internet. Most windows workstations or desktops don't unless they are<BR> infected with something.<BR> <BR> And lastly, if there is anyway to create a list from your SIM of<BR> internal system that are having Deny rules flagged on the firewall, this<BR> list could be useful to look for mis-configurations, infected systems<BR> and so on.<BR> <BR> Ron Gula, CTO<BR> Tenable Network Security<BR> <A href="http://www.tenablesecurity.com">http://www.tenablesecurity.com</A>
<BR> <BR> <BR> <BR> <BR> saudi sans wrote:<BR> > Hi<BR> ><BR> > we have 6 firewalls - 2 of them facing Internet , 4 internal<BR> ><BR> > We are analysing their log using a leading SIM solution<BR> ><BR> > Looking for help in identifying meaningful/actionable reports that we<BR> > can get from Firewall log analysis<BR> ><BR> ><BR> > -- From DENY traffic<BR> ><BR> > -- Currently we take daily reports on - Top 10 attacked ports,Top 10<BR> > attacked IPs etc. I am not sure if these Top 10 are meaningful or any<BR> > action can be taken using this<BR> ><BR> ><BR> > -- From ACCEPT/PERMIT traffic<BR> > -- I really have no clue on what we can report on this.Top 10 traffic<BR> > generators or something<BR> ><BR> ><BR> > -- Firewall configuration changes<BR> ><BR> > --Currently we are generating daily reports on Changes to rulebase,<BR> > changes to firewall objects etc<BR> > _______________________________________________<BR> > LogAnalysis mailing list<BR> > <A href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</A
><BR> > <A href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</A><BR> ><BR> _______________________________________________<BR> LogAnalysis mailing list<BR> <A href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</A
><BR> <A href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</A><BR> </FONT> </P> </BLOCKQUOTE></DIV><BR></DIV></DIV></BODY></HTML>_______________________
________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:44PM
Michael Kinsley (michael kinsley sensage com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:25PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:41PM
David Corlette (dcorlette novell com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:14PM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus