LogAnalysis
[logs] SIM Analysis of Firewall Logs Sep 27 2007 05:45PM
saudi sans (saudisans gmail com) (5 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 28 2007 06:22AM
Ajay Kumar (ajaykumar adventnet com)
Hi,

*Disclaimer:* I work for the Firewall Analyzer product division of
AdventNet, Inc.

We have a product called the ManageEngine® Firewall Analyzer
<http://www.fwanalyzer.com>, which is a web based, cross-platform,
agent-less, firewall log analysis and reporting software that monitors,
collects, analyzes, archives, and generates reports on enterprise-wide
Firewalls, VPN's, IDS, and Proxy servers.

Except for the "Firewall configuration changes" reports which would be
made available in our next product update, we are able to obtain
meaningful reports like Live Reports, Traffic Reports, Protocol Usage
Reports, Web Usage Reports, Mail Usage Reports, FTP Usage Reports,
Telnet Usage Reports, Event Summary Reports, VPN Usage Reports, Firewall
Rules Report, Inbound Outbound Reports, Intranet Reports, Internet
Reports, Streaming & Chat Sites Reports, Security Reports, Virus
Reports, Attack Reports, Admin Reports and others, based on firewall log
analysis. You can create anomaly filters to detect unusual network
behaviors, and also obtain Working and Non-Working hours network activities.

So as you can see, if your log parsing engine is intelligent enough then
it can mine a lot of information from your firewall logs.

Thanks!

* Ajay Kumar*
Product : EventLog Analyzer <http://www.eventloganalyzer.com> & Firewall
Analyzer <http://www.fwanalyzer.com>
AdventNet Inc. <http://www.adventnet.com>

saudi sans wrote:
> Hi
>
> we have 6 firewalls - 2 of them facing Internet , 4 internal
>
> We are analysing their log using a leading SIM solution
>
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
>
>
> -- From DENY traffic
>
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
>
>
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
>
>
> -- Firewall configuration changes
>
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Arial">Hi,<br>
<br>
<b>Disclaimer:</b> I work for the Firewall Analyzer product division of
AdventNet, Inc.<br>
<br>
We have a product called the <a href="http://www.fwanalyzer.com">ManageEngine®
Firewall Analyzer</a>, which </font></font><span
style="font-size: 10pt; line-height: 115%; font-family: "Arial","sans-serif";">is
a web based,
cross-platform, agent-less, firewall log analysis and reporting
software that
monitors, collects, analyzes, archives, and generates reports on
enterprise-wide Firewalls, VPN's, IDS, and Proxy servers. <br>
<br>
Except for the "Firewall configuration changes" reports which would be
made available in our next product update, we are able to obtain
meaningful reports like Live Reports, Traffic Reports, Protocol Usage
Reports, Web Usage Reports, Mail Usage Reports, FTP Usage Reports,
Telnet Usage Reports, Event Summary Reports, VPN Usage Reports,
Firewall Rules Report, Inbound Outbound Reports, Intranet Reports,
Internet Reports, Streaming & Chat Sites Reports, Security Reports,
Virus Reports, Attack Reports, Admin Reports and others, based on
firewall log analysis. You can create anomaly filters to detect unusual
network behaviors, and also obtain Working and Non-Working hours
network activities.<br>
<br>
So as you can see, if your log parsing engine is intelligent enough
then it can mine a lot of information from your firewall logs. <br>
<br>
Thanks!<br>
</span>
<div class="moz-signature">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>AJ Signature</title>
<p> <b> <font face="Arial"> Ajay Kumar</font></b><font face="Arial"
size="2"><br>
Product : <a href="http://www.eventloganalyzer.com">EventLog Analyzer</a>
& <a href="http://www.fwanalyzer.com">Firewall Analyzer</a> <br>
<a href="http://www.adventnet.com"> AdventNet Inc.</a></font><br>
</p>
</div>
saudi sans wrote:
<blockquote
cite="mid:74fb60700709271045s7ef9c2fdkd50dfeebc37931b1 (at) mail.gmail (dot) com [email concealed]"
type="cite">
<pre wrap="">Hi

we have 6 firewalls - 2 of them facing Internet , 4 internal

We are analysing their log using a leading SIM solution

Looking for help in identifying meaningful/actionable reports that we
can get from Firewall log analysis

-- From DENY traffic

-- Currently we take daily reports on - Top 10 attacked ports,Top 10
attacked IPs etc. I am not sure if these Top 10 are meaningful or any
action can be taken using this

-- From ACCEPT/PERMIT traffic
-- I really have no clue on what we can report on this.Top 10 traffic
generators or something

-- Firewall configuration changes

--Currently we are generating daily reports on Changes to rulebase,
changes to firewall objects etc
_______________________________________________
LogAnalysis mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LogAnalysis (at) loganalysis (dot) org [email concealed]">LogAnalysis (at) loganalysis (dot) org [email concealed]</a
>
<a class="moz-txt-link-freetext" href="http://www.loganalysis.org/mailman/listinfo/loganalysis">http://ww
w.loganalysis.org/mailman/listinfo/loganalysis</a>

</pre>
</blockquote>
</body>
</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:04PM
Adrian Grigorof (adi grigorof com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:45PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 07:53PM
Michael Kinsley (michael kinsley sensage com) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:44PM
Michael Kinsley (michael kinsley sensage com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:25PM
Anton Chuvakin (anton chuvakin org) (1 replies)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 08:41PM
David Corlette (dcorlette novell com)
Re: [logs] SIM Analysis of Firewall Logs Sep 27 2007 06:14PM
Daniel Cid (dcid ossec net)


 

Privacy Statement
Copyright 2010, SecurityFocus