[logs] SIM Analysis of Firewall Logs
David Corlette
dcorlette at novell.com
Thu Sep 27 13:41:21 PDT 2007
I think though that to make this useful, you'll need to incorporate some business intelligence. Otherwise the Top 10 will just show your webservers. What you're really looking for (for example) is "Top 10 target systems that *aren't* servers".
What we do is categorize systems so that we can say things like: look out for connections from external systems to non-DMZ systems and so forth. But the logs themselves won't tell you that; you need to attach some business relevance info.
>>> On Thu, Sep 27, 2007 at 2:25 PM, in message
<b2591e2e0709271125r497075ebi9cead4b8a45d0bb at mail.gmail.com>, "Anton Chuvakin"
<anton at chuvakin.org> wrote:
>> -- From ACCEPT/PERMIT traffic
>> -- I really have no clue on what we can report on this.Top 10 traffic
>> generators or something
>
> Oooh, this is THE most fun part - examples:
>
> - internal servers acting as clients (owned boxes)
> - depending upon the rule set, denied outbound conns are interesting
> - top outbound allowed/denied ports (trojans? other fun stuff)
> - many others .. need to dig into my archives
>
> As you can guess :-) I have a paper in the works on just the outbound
> firewall log analysis.
>
> Best,
More information about the LogAnalysis
mailing list