[logs] SIM Analysis of Firewall Logs
Daniel Cid
dcid at ossec.net
Thu Sep 27 11:14:32 PDT 2007
Hi Saudi,
I would add:
-Logins to the firewall (successful or not)
-Changes to the firewall rules, access lists, configurations, etc
-Any error message (generally on pix they are severity 1,2,3)
For the reports you mentioned, I think top 10 attacked ports or IPs are pretty
much useless. Looking at top 10 traffic generators (from accept) will
not give you
any security benefit too... Maybe only on a virus/worm outbreak.
I would look for bottom 10 attacked ports or bottom 10 attacked IPs. If they
support NBS (or FTS), I would always look for the first time a
specific port or IP is accessed (or being used). I would also generate
reports for accesses outside
business hours...
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/27/07, saudi sans <saudisans at gmail.com> wrote:
> Hi
>
> we have 6 firewalls - 2 of them facing Internet , 4 internal
>
> We are analysing their log using a leading SIM solution
>
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
>
>
> -- From DENY traffic
>
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
>
>
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
>
>
> -- Firewall configuration changes
>
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
More information about the LogAnalysis
mailing list