[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Firewall log analysis what we should look for ?
port over vlog? http://www.inc2.com/isba/index-vlog.html
Perhaps Pierre has already done it.
Quoting Petr Ruzicka <email@example.com>:
> a lot of people are asking for some script and/or tool
> for pf log analysis.
> First of all, I would like to know what kind of
> information I should look for in firewall logs, what
> should make me aware.
> Besides of ordinary port scans, Nimda/Code Red
> attempts etc. which pattern, from security point of
> view, we should try to identify in firewall, pf logs ?
> Let's put aside monitoring of pass packets for
> accounting purposes or traffic monitoring and
> concentrate on blocked ones.
> My point is - firewall logs are be huge, but when
> someone (me, you, puffy...) build any tool for
> security analysing (I'm aware of tcpdump -r pflog,
> Ethereal etc.), what is important for us ? Blocked syn
> packets, those *could* be annoying worms and that will
> not hurt us ( not on firewall) ? Any other information
> in logs is important ?
> Which features should such tool have ?
> Looking over blocked packet from ip adresses over
> short period of time ?
> Summarizing % of blocked/passed Syns/packets/protocols
> in general ? Denied connections by time, port and ip
> address ? Large packets ? Fragments ?
> What other firewall packages reporting tools provides
> (or missing ) what we could (and need) possibly use ?
> We have an excellent firewall, pf (thank you OpenBSD
> team !), with great logging idea (tcpdump format), is
> it nessesary to have analysing tool ?
> If the answer is yes, what we really need for quick
> overview before we dive in for further analysing pflog
> Best regards and thanks for any idea.
> Yahoo! - Official partner of 2002 FIFA World Cup