Greetings,
I am looking for _security_ focussed FW-1 log analysis tool.
In particular, I am looking for a tool which highlights the security incidents
from a firewall-1 log, I dont care about bandwidth utilisation, web site hits,
top X sources/destinations (except where this might indicate a scan/hack
attempt.)
I am specifically looking for something that lets me focus on the Security
incidents in the log (as (initially) shown by Scans). I have other logs that
show me attempts against Bind, Syslog, SMTP etc, but the tools for Firewall-1
seem to be focussed towards Mgmt & accounting, not security.
I am hoping that someone has a perl script that they already use for this...
Please note: I am currently receiving over 1,500,000 lines of (already abridged)
logs each day, with an additional 5-10 million lines to come each day as soon as
I get the log filter working correctly. This number will just grow over time,
and I would not be surprised to be receiving 50-80 million lines per day within
12 months!
If anyone wants some of the details of a suggested implementation, I have listed
them below
Regards,
Crispin Harris
__________________________________________________
Security Technical Specialist, [EMAIL PROTECTED]
CSC Australia 2 Mill St, Perth, WA, 6000
Ph: +61(0)8 9429-6478 Mobile: 0413-629-298 Fax: +61 (0)8 9481-1332
P.S.
I have looked at WebTrends and TeleMate.NET and while both these tools provide
good management reports, they are basically useless for detecting network scans
etc.
P.P.S
I have previously modified a copy of 'fwlogsum.pl' (By Peter Sundstrom
<[EMAIL PROTECTED]>), and customised it to a particular environment, however,
I am not a programmer, and I really do not have the time to spend programming
something like this from scratch.
==========================
A Suggested implementation
==========================
I have been thinking about the specifics of my report, and this is the sorts of
stuff I want:
- see each source which has more than "low_water" number of destinations
(host:port).
- If the host:port was hit more than once, I want to know the number of times,
the first and the last times.
- Because there could be "num_srcs * 16384 * 65535 * num_tries" entries in the
log, I only want the first 'LOG_LIMIT' number of dest:port pairs kept.
- I want to be able to provide an exclude list: <Src[,Dst[:port]] |
[Src,]Dst[:port]> (i.e. Source and or Dest (with optional port) can be excluded)
==========================
Pseudo-Code
==========================
(This pseudo-code is a bastardised mixture of Shell Script, perl, Java & C,
sorry about any confusion that may arise)
for each (Src) {
if ( ! grep "Src DstPort.dest.Src" Exclude_list) {
# This "Src Dst:Port" is not excluded
if ( num_dst.Src > low_water_mark ) {
# We
print Src, "Total LogEntries: ", count.Src;
for each (dest.Src) {
print "\t", DstPort.dst.Src, first.dst.Src (count.dst.Src > 1 ?
count.dst.Src, last.dst.Src \n : \n);
} } } }
==========================
Object Definition
==========================
(If I was writing in Java I would do something similar to this:
Object Src {
String[20] name;
IPAddress address;
int num_dsts;
long count;
DstList[LOG_LIMIT] dst; /* Very UGLY - but this does illustrate what I
want */
}
Object DstList {
String[20] name;
String[20] DstPort;
int count;
Time first, last;
}
During the collection phase, I would limit the number of separate dst.Src
entries collected to (aproximately 1000)
Computer Sciences Corporation
This email is confidential. If you are not the intended recipient,
you must not disclose or use the information contained in it.
If you have received this mail in error, please tell us
immediately by return email and delete the document.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
