Firewall log analysis what we should look for ?

[Petr Ruzicka <petr_ruzicka@yahoo.com>]

Hi,
a lot of people are asking for some script and/or tool
for pf log analysis. 
First of all, I would like to know what kind of
information I should look for in firewall logs, what
should make me aware.
Besides of ordinary port scans, Nimda/Code Red
attempts etc. which pattern, from security point of
view, we should try to identify in firewall, pf logs ?

Let's put aside monitoring of pass packets for
accounting purposes or traffic monitoring and
concentrate on blocked ones.
My point is - firewall logs are be huge, but when
someone (me, you, puffy...) build any tool for
security analysing (I'm aware of tcpdump -r pflog,
Ethereal etc.), what is important for us ? Blocked syn
packets, those *could* be annoying worms and that will
not hurt us ( not on firewall) ? Any other information
in logs is important ?
Which features should such tool have ? 
Looking over blocked packet from ip adresses over
short period of time ?
Summarizing % of blocked/passed Syns/packets/protocols
in general ?  Denied connections  by time, port and ip
address ? Large packets ? Fragments ? 
What other firewall packages reporting tools provides
(or missing ) what we could (and need) possibly use ?

We have an excellent firewall, pf (thank you OpenBSD
team !), with great logging idea (tcpdump format), is
it nessesary to have analysing tool ? 
If the answer is yes, what we really need for quick
overview before we dive in for further analysing pflog
?

Best regards and thanks for any idea.

Petr
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com