RE: [logs] PIX logging

• Previous message: Marius Baicoianu: "[logs] PIX logging"
• Maybe in reply to: Marius Baicoianu: "[logs] PIX logging"
• Next in thread: Matt Shirilla: "RE: [logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marius,

	You can do various things to sort out the Drop/Reject/Accept
packets from your firewall. Greping (man grep) out the reject/drop
packets may give you more understanding about who is scanning (or trying
to compromise) you/your organization. 

Example:
cat messages |grep deny


Say you wanted to see everything BUT deny packets then you might try
this

Example:
cat messages |grep -v deny


You may also want to keep track of how many packets you are logging a
day. The "wc" (wc -l works well) command in unix can help with line
counts.  

Example:
cat messages |grep deny | wc -l 

By knowing what the "normal" amount of dropped packets are you maybe
able to determine if someone is doing something odd once you see a large
amount of drop/deny/reject messages. Even large amounts of accepts could
indicate that you have a worm in your network. This is called feeling
out your "baseline". 



Once you have the data you can do lots of things with it:

- Filter the data
- apply rules to the data
- Visualize the data.
- Correlation the data.
- Compute Statistical information

I hope this helps and may the force be with you!

Matthew

Matthew F. Caldwell, CISSP
Founder and CSO
GuardedNet, Inc
www.guarded.net


-----Original Message-----
From: Marius Baicoianu [mailto:mbaicoianuat_private] 
Sent: Tuesday, July 29, 2003 2:28 PM
To: LogAnalysisat_private
Subject: [logs] PIX logging

Hi,

I have red your messages in reference with the PIX
logging and I would like to ask you few things:
- after you configure syslog and logrotate to log and
rotate my system logs what do I do next?
- do you have a easy way to review these logs? scripts
or procedures? I'am able to have all the PIX logs on a
syslog server, and I am able to cut them daily, but I
don't know what I suppose to do next....How can I
review so much info?

Please help.
Thanks.


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Matt Shirilla: "RE: [logs] PIX logging"
• Previous message: Marius Baicoianu: "[logs] PIX logging"
• Maybe in reply to: Marius Baicoianu: "[logs] PIX logging"
• Next in thread: Matt Shirilla: "RE: [logs] PIX logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:35:31 PDT