[logs] SIM solution - Objectives ? (Firewall logging)

[Paul Melson]

> depends on which way traffic is flowing.  Logging deny's outbound is very
affective in locating malware 
> on your hosts.  i do not care much about deny's inbound its blocked.  and
its blocked outbound but it 
> still indicates a bot or some other malware on one of the internal hosts.
Every log rule has value you 
> just have to find it sometimes.

I don't think anybody's said that 'deny' messages were unimportant.  But
from a security context, I would argue that they will almost always be less
important than a similar 'accept'.  

Let's take your example of using outbound deny messages to find malware.
And let's say that my firewall allows port 80 outbound but not port 25.
Scenario A) is a spambot dropped on a workstation that is unable to send
spam messages.  Scenario B) is a new Haxdoor variant that is scraping
passwords and sending them to a web site in China.  In this case being able
to analyze allowed traffic and respond to the incident where data actually
left your network would be significantly more important.  It would also be
important to know what else has come and gone from the IP address where the
passwords were sent or even that entire APNIC address block.  And while all
of the log data is useful, it's the successful connections that require
immediate attention.

PaulM