I think though that to make this useful, you'll need to incorporate some business intelligence. Otherwise the Top 10 will just show your webservers. What you're really looking for (for example) is "Top 10 target systems that *aren't* servers".

What we do is categorize systems so that we can say things like: look out for connections from external systems to non-DMZ systems and so forth. But the logs themselves won't tell you that; you need to attach some business relevance info.

>>> On Thu, Sep 27, 2007 at 2:25 PM, in message
<b2591e2e0709271125r497075ebi9cead4b8a45d0bb (at) mail.gmail (dot) com [email concealed]>, "Anton Chuvakin"
<anton (at) chuvakin (dot) org [email concealed]> wrote:
>> -- From ACCEPT/PERMIT traffic
>> -- I really have no clue on what we can report on this.Top 10 traffic
>> generators or something
>
> Oooh, this is THE most fun part - examples:
>
> - internal servers acting as clients (owned boxes)
> - depending upon the rule set, denied outbound conns are interesting
> - top outbound allowed/denied ports (trojans? other fun stuff)
> - many others .. need to dig into my archives
>
> As you can guess :-) I have a paper in the works on just the outbound
> firewall log analysis.
>
> Best,

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]