[logs] SIM Analysis of Firewall Logs
saudi sans
saudisans at gmail.com
Thu Sep 27 10:45:08 PDT 2007
Hi
we have 6 firewalls - 2 of them facing Internet , 4 internal
We are analysing their log using a leading SIM solution
Looking for help in identifying meaningful/actionable reports that we
can get from Firewall log analysis
-- From DENY traffic
-- Currently we take daily reports on - Top 10 attacked ports,Top 10
attacked IPs etc. I am not sure if these Top 10 are meaningful or any
action can be taken using this
-- From ACCEPT/PERMIT traffic
-- I really have no clue on what we can report on this.Top 10 traffic
generators or something
-- Firewall configuration changes
--Currently we are generating daily reports on Changes to rulebase,
changes to firewall objects etc
More information about the LogAnalysis
mailing list