Hi, I'm looking into reviewing firewall logs for any potentially malicious activity. I was thinking of creating a small db to look for suspect ports being connected to, IPs (internal connecting from outside etc), port scans etc but was wondering whether there was any software that could do this for me?
If there's no software what would people suggest looking for in the logs?
Best things to look for in logs are services that you don't offer or don't allow. For instance you might not allow telnet. When you have some message in your log using the telnetport then you might consider investigating it.
You can also look for messages that indicate that people failed to login for a certain service by using anonymous or wrong usernames and passwords.
Some firewalls analyse the logs themselfs so you can also use that for starting with. When you are using ZoneAlarm you can always look for the ZoneLogAnalyzer. Does some good work analysing your logs.