LogAnalysis
[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM
saudi sans (saudisans gmail com) (5 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 28 2007 06:22AM
Ajay Kumar (ajaykumar adventnet com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:04PM
Adrian Grigorof (adi grigorof com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:45PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:53PM
Michael Kinsley (michael kinsley sensage com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:44PM
Michael Kinsley (michael kinsley sensage com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:25PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:41PM
David Corlette (dcorlette novell com)
I think though that to make this useful, you'll need to incorporate some business intelligence. Otherwise the Top 10 will just show your webservers. What you're really looking for (for example) is "Top 10 target systems that *aren't* servers".

What we do is categorize systems so that we can say things like: look out for connections from external systems to non-DMZ systems and so forth. But the logs themselves won't tell you that; you need to attach some business relevance info.

>>> On Thu, Sep 27, 2007 at 2:25 PM, in message
<b2591e2e0709271125r497075ebi9cead4b8a45d0bb (at) mail.gmail (dot) com [email concealed]>, "Anton Chuvakin"
<anton (at) chuvakin (dot) org [email concealed]> wrote:
>> -- From ACCEPT/PERMIT traffic
>> -- I really have no clue on what we can report on this.Top 10 traffic
>> generators or something
>
> Oooh, this is THE most fun part - examples:
>
> - internal servers acting as clients (owned boxes)
> - depending upon the rule set, denied outbound conns are interesting
> - top outbound allowed/denied ports (trojans? other fun stuff)
> - many others .. need to dig into my archives
>
> As you can guess :-) I have a paper in the works on just the outbound
> firewall log analysis.
>
> Best,

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:14PM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus