[logs] SIM Analysis of Firewall Logs
Anton Chuvakin
anton at chuvakin.org
Thu Sep 27 11:25:19 PDT 2007
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
Oooh, this is THE most fun part - examples:
- internal servers acting as clients (owned boxes)
- depending upon the rule set, denied outbound conns are interesting
- top outbound allowed/denied ports (trojans? other fun stuff)
- many others .. need to dig into my archives
As you can guess :-) I have a paper in the works on just the outbound
firewall log analysis.
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
More information about the LogAnalysis
mailing list