[logs] SIM Analysis of Firewall Logs
Michael Kinsley
michael.kinsley at sensage.com
Thu Sep 27 12:53:05 PDT 2007
Also might I suggest using GeoIP? One of the requests I receive
fairly often is to identify requests either leaving the country of
origin or going to a particular country. A quick search on CPAN for
GeoIP should get you to the right place.
If you have competitors it is also reasonable to look for inbound/
outbound connections from/to them. Although this won't catch people
who go out of their way to avoid detections, its a nice metric to
have handy... and I find most people still treat web browsing as if
it were an anonymous activity.
good luck.
-Michael
On Sep 27, 2007, at 11:45 AM, Ron Gula wrote:
> Several comments ....
>
> Firewalls log more than just accepts and denies and configuration
> changes. A lot of them will log DOS attacks, port scans, VPN session
> starts and so on. If your SIM can pull those types of logs out,
> they are
> useful as well.
>
> Focusing on accepts and denies is interesting for trending. I think it
> is more interesting to look at the IP address in the logs and see
> if any
> of them correlate with publicly or privately available blacklists.
> I've
> blogged about doing this sort of stuff with Tenable's products here:
> http://blog.tenablesecurity.com/2006/12/updated_blackli.html Knowing
> that your firewall blocked access to a known bad guy is not
> interesting
> to technical folks, but can help justify the firewall (and the SIM) to
> managers. Also, if the black lists indicate valid connections then
> this
> is also interesting.
>
> If your SIM can treat the firewall accept events as network connection
> events (like a netflow or network session) you can do a wide
> variety of
> NBAD, and connection based analysis. I've blogged how Tenable does
> this
> here. Other SIMs have similar capabilities, but you need to enable
> statistical tracking on certain events or assets.
>
> If you can sort the logs by asset group (this is something we tell
> Tenable customers to do) then you can start looking for odd hot port
> occurances. For example, IP phones will initiate TFTP updates over the
> Internet. Most windows workstations or desktops don't unless they are
> infected with something.
>
> And lastly, if there is anyway to create a list from your SIM of
> internal system that are having Deny rules flagged on the firewall,
> this
> list could be useful to look for mis-configurations, infected systems
> and so on.
>
> Ron Gula, CTO
> Tenable Network Security
> http://www.tenablesecurity.com
>
>
>
>
> saudi sans wrote:
> > Hi
> >
> > we have 6 firewalls - 2 of them facing Internet , 4 internal
> >
> > We are analysing their log using a leading SIM solution
> >
> > Looking for help in identifying meaningful/actionable reports
> that we
> > can get from Firewall log analysis
> >
> >
> > -- From DENY traffic
> >
> > -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> > attacked IPs etc. I am not sure if these Top 10 are meaningful or
> any
> > action can be taken using this
> >
> >
> > -- From ACCEPT/PERMIT traffic
> > -- I really have no clue on what we can report on this.Top 10
> traffic
> > generators or something
> >
> >
> > -- Firewall configuration changes
> >
> > --Currently we are generating daily reports on Changes to rulebase,
> > changes to firewall objects etc
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis at loganalysis.org
> > http://www.loganalysis.org/mailman/listinfo/loganalysis
> >
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070927/9f149603/attachment.html
More information about the LogAnalysis
mailing list