Re: Firewall log analysis what we should look for ?

["Michael C. Ibarra" <ibarra@hawk.com>]

port over vlog? http://www.inc2.com/isba/index-vlog.html
Perhaps Pierre has already done it.

-mike

Quoting Petr Ruzicka <petr_ruzicka@yahoo.com>:

> Hi,
> a lot of people are asking for some script and/or tool
> for pf log analysis. 
> First of all, I would like to know what kind of
> information I should look for in firewall logs, what
> should make me aware.
> Besides of ordinary port scans, Nimda/Code Red
> attempts etc. which pattern, from security point of
> view, we should try to identify in firewall, pf logs ?
> 
> Let's put aside monitoring of pass packets for
> accounting purposes or traffic monitoring and
> concentrate on blocked ones.
> My point is - firewall logs are be huge, but when
> someone (me, you, puffy...) build any tool for
> security analysing (I'm aware of tcpdump -r pflog,
> Ethereal etc.), what is important for us ? Blocked syn
> packets, those *could* be annoying worms and that will
> not hurt us ( not on firewall) ? Any other information
> in logs is important ?
> Which features should such tool have ? 
> Looking over blocked packet from ip adresses over
> short period of time ?
> Summarizing % of blocked/passed Syns/packets/protocols
> in general ?  Denied connections  by time, port and ip
> address ? Large packets ? Fragments ? 
> What other firewall packages reporting tools provides
> (or missing ) what we could (and need) possibly use ?
> 
> We have an excellent firewall, pf (thank you OpenBSD
> team !), with great logging idea (tcpdump format), is
> it nessesary to have analysing tool ? 
> If the answer is yes, what we really need for quick
> overview before we dive in for further analysing pflog
> ?
> 
> Best regards and thanks for any idea.
> 
> Petr
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com


--------------------------------------------------