[logs] SIM Analysis of Firewall Logs

Ron Gula rgula at tenablesecurity.com
Thu Sep 27 11:45:02 PDT 2007 

Several comments ....

Firewalls log more than just accepts and denies and configuration
changes. A lot of them will log DOS attacks, port scans, VPN session
starts and so on. If your SIM can pull those types of logs out, they are
useful as well.

Focusing on accepts and denies is interesting for trending. I think it
is more interesting to look at the IP address in the logs and see if any
of them correlate with publicly or privately available blacklists. I've
blogged about doing this sort of stuff with Tenable's products here:
http://blog.tenablesecurity.com/2006/12/updated_blackli.html  Knowing
that your firewall blocked access to a known bad guy is not interesting
to technical folks, but can help justify the firewall (and the SIM) to
managers. Also, if the black lists indicate valid connections then this
is also interesting.

If your SIM can treat the firewall accept events as network connection
events (like a netflow or network session) you can do a wide variety of
NBAD, and connection based analysis. I've blogged how Tenable does this
here. Other SIMs have similar capabilities, but you need to enable
statistical tracking on certain events or assets.

If you can sort the logs by asset group (this is something we tell
Tenable customers to do) then you can start looking for odd hot port
occurances. For example, IP phones will initiate TFTP updates over the
Internet. Most windows workstations or desktops don't unless they are
infected with something.

And lastly, if there is anyway to create a list from your SIM of
internal system that are having Deny rules flagged on the firewall, this
list could be useful to look for mis-configurations, infected systems
and so on.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com




saudi sans wrote:
> Hi
> 
> we have 6 firewalls - 2 of them facing Internet , 4 internal
> 
> We are analysing their log using a leading SIM solution
> 
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
> 
> 
> -- From DENY traffic
> 
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
> 
> 
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
> 
> 
> -- Firewall configuration changes
> 
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>

More information about the LogAnalysis mailing list