Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Firewall Logs

Firewall Logs 12 years 6 months ago #3823

  • GPod
  • GPod's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Hi, I'm looking into reviewing firewall logs for any potentially malicious activity. I was thinking of creating a small db to look for suspect ports being connected to, IPs (internal connecting from outside etc), port scans etc but was wondering whether there was any software that could do this for me?

If there's no software what would people suggest looking for in the logs?

Cheers
The administrator has disabled public write access.

Re: Firewall Logs 12 years 6 months ago #3825

  • dreamer
  • dreamer's Avatar
  • Offline
  • New Member
  • Posts: 15
  • Karma: 0
Hi,

There are a lot of programs that can do some analysis for you depending on the operating system that you use. You can always check out one of these programs:

Logcheck http://www.astro.uiuc.edu/~r-dass/logcheck/ , Logwatch http://www2.logwatch.org:81/, Swatch http://swatch.sourceforge.net/, ngrephttp://ngrep.sourceforge.net/ http://www.brandonhutchinson.com/ngrep.html . Myself I don't have much experience analysing logs and that kind of things. So I can't really tell which program is the best.

Best things to look for in logs are services that you don't offer or don't allow. For instance you might not allow telnet. When you have some message in your log using the telnetport then you might consider investigating it.

You can also look for messages that indicate that people failed to login for a certain service by using anonymous or wrong usernames and passwords.

Some firewalls analyse the logs themselfs so you can also use that for starting with. When you are using ZoneAlarm you can always look for the ZoneLogAnalyzer. Does some good work analysing your logs.

Greets
The administrator has disabled public write access.

Re: Firewall Logs 12 years 6 months ago #3831

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
What is your platform and what format are the logs in ?
If its iptables based logging then there are a large number of programs as well as perl scripts that will parse the output for you.

If its a Windows based program they most often have some sort of integrated log parser with the software (if its a decent firewall package).

Btw dreamer -- ngrep is not a log parser, its like grep for the network.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Firewall Logs 12 years 6 months ago #3851

  • GPod
  • GPod's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
platforms are all Windows, off top of my head types of firewalls include watchguard + something Cisco flavoured I think!

'Best things to look for in logs are services that you don't offer or don't allow.... '

hadn't thought that! I'm hoping they'll have some kind of analyser included but haven't got my hands on them yet so I'm not sure.

Cheers
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup