[logs] SIM Analysis of Firewall Logs

Ajay Kumar ajaykumar at adventnet.com
Thu Sep 27 23:22:32 PDT 2007 

Hi,

*Disclaimer:* I work for the Firewall Analyzer product division of 
AdventNet, Inc.

We have a product called the ManageEngine® Firewall Analyzer 
<http://www.fwanalyzer.com>, which is a web based, cross-platform, 
agent-less, firewall log analysis and reporting software that monitors, 
collects, analyzes, archives, and generates reports on enterprise-wide 
Firewalls, VPN's, IDS, and Proxy servers.

Except for the "Firewall configuration changes" reports which would be 
made available in our next product update, we are able to obtain 
meaningful reports like Live Reports, Traffic Reports, Protocol Usage 
Reports, Web Usage Reports, Mail Usage Reports, FTP Usage Reports, 
Telnet Usage Reports, Event Summary Reports, VPN Usage Reports, Firewall 
Rules Report, Inbound Outbound Reports, Intranet Reports, Internet 
Reports, Streaming & Chat Sites Reports, Security Reports, Virus 
Reports, Attack Reports, Admin Reports and others, based on firewall log 
analysis. You can create anomaly filters to detect unusual network 
behaviors, and also obtain Working and Non-Working hours network activities.

So as you can see, if your log parsing engine is intelligent enough then 
it can mine a lot of information from your firewall logs.

Thanks!

* Ajay Kumar*
Product : EventLog Analyzer <http://www.eventloganalyzer.com> & Firewall 
Analyzer <http://www.fwanalyzer.com>
AdventNet Inc. <http://www.adventnet.com>

saudi sans wrote:
> Hi
>
> we have 6 firewalls - 2 of them facing Internet , 4 internal
>
> We are analysing their log using a leading SIM solution
>
> Looking for help in identifying meaningful/actionable reports that we
> can get from Firewall log analysis
>
>
> -- From DENY traffic
>
> -- Currently we take daily reports on - Top 10 attacked ports,Top 10
> attacked IPs etc. I am not sure if these Top 10 are meaningful or any
> action can be taken using this
>
>
> -- From ACCEPT/PERMIT traffic
> -- I really have no clue on what we can report on this.Top 10 traffic
> generators or something
>
>
> -- Firewall configuration changes
>
> --Currently we are generating daily reports on Changes to rulebase,
> changes to firewall objects etc
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070928/59dcc0d9/attachment.html

More information about the LogAnalysis mailing list