Skip to main content

Firewall Logs

More
19 years 11 months ago #3823 by GPod
Firewall Logs was created by GPod
Hi, I'm looking into reviewing firewall logs for any potentially malicious activity. I was thinking of creating a small db to look for suspect ports being connected to, IPs (internal connecting from outside etc), port scans etc but was wondering whether there was any software that could do this for me?

If there's no software what would people suggest looking for in the logs?

Cheers
More
19 years 11 months ago #3825 by dreamer
Replied by dreamer on topic Re: Firewall Logs
nnbnbnnbnbnnbnbnnbnbnnbnbHi,

There are a lot of programs that can do some analysis for you depending on the operating system that you use. You can always check out one of these programs:

Logcheck www.astro.uiuc.edu/~r-dass/logcheck/ , Logwatch www2.logwatch.org:81/ , Swatch swatch.sourceforge.net/ , ngrep ngrep.sourceforge.net/ www.brandonhutchinson.com/ngrep.html . Myself I don't have much experience analysing logs and that kind of things. So I can't really tell which program is the best.

Best things to look for in logs are services that you don't offer or don't allow. For instance you might not allow telnet. When you have some message in your log using the telnetport then you might consider investigating it.

You can also look for messages that indicate that people failed to login for a certain service by using anonymous or wrong usernames and passwords.

Some firewalls analyse the logs themselfs so you can also use that for starting with. When you are using ZoneAlarm you can always look for the ZoneLogAnalyzer. Does some good work analysing your logs.

Greets
More
19 years 11 months ago #3831 by sahirh
Replied by sahirh on topic Re: Firewall Logs
What is your platform and what format are the logs in ?
If its iptables based logging then there are a large number of programs as well as perl scripts that will parse the output for you.

If its a Windows based program they most often have some sort of integrated log parser with the software (if its a decent firewall package).

Btw dreamer -- ngrep is not a log parser, its like grep for the network.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
19 years 11 months ago #3851 by GPod
Replied by GPod on topic Re: Firewall Logs
platforms are all Windows, off top of my head types of firewalls include watchguard + something Cisco flavoured I think!

'Best things to look for in logs are services that you don't offer or don't allow.... '

hadn't thought that! I'm hoping they'll have some kind of analyser included but haven't got my hands on them yet so I'm not sure.

Cheers
Time to create page: 0.139 seconds