I have asked Ken to tell us a little more about his scripts, and to let me post them on the Web site. -----Original Message----- From: Ken McKinlay [mailto:ken.mckinlayat_private] Sent: Friday, October 26, 2001 8:17 AM To: 'intrusionsat_private' Subject: FW-1 and incident log processing For those using FW-1, I've cobbled together a set of shell/perl scripts and web CGI pages that have helped me reduce the time to handle my reports from 1 hour to less than 10 minutes (only a /28 network to worry about externally). The way they work is: 1. A FireWall-1 user-defined alert is generated by the firewall for the ports I am interested in monitoring. 2. From the alert, an e-mail is generated and is sent to my log processor system. 3. The raw alert log is processed and split into descrete files. 4. These files are then displayed via a browser as a series of check boxes. >From there I just select a group of incidents and the e-mail to be sent is displayed on the screen along with the log details. I then fill in the To and CC addresses, check that the message body is OK and send it off with a click. If anyone is interested, drop me a line. Be warned, they are still in beta since I am still in the process of tweaking but I have been using them for about a week without any problems. Ken McKinlay, GCIA Network Security Dy 4 Systems 613-599-9199 x506 ken.mckinlayat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 09:57:22 PDT