[logs] SIM solution - Objectives ? (Firewall logging)
Dave Ellingsberg
Dave.Ellingsberg at csu.mnscu.edu
Tue May 29 08:43:41 PDT 2007
depends on which way traffic is flowing. Logging deny's outbound is very affective in locating malware on your hosts. i do not care much about deny's inbound its blocked. and its blocked outbound but it still indicates a bot or some other malware on one of the internal hosts. Every log rule has value you just have to find it sometimes.
foot.
Logging 'deny' messages and not 'accept' messages from a firewall is,
in my opinion, a very outdated way of looking at firewall log data.
Firewalls play a part and I would never dismiss them outright, but the
war is over - the bad guys are successfully attacking and connecting
back through firewalls using generally allowed traffic. If you can't
analyze allowed connections, that's a huge blind spot in your security
monitoring.
PaulM
More information about the LogAnalysis
mailing list