RE: [logs] PIX logging

From: Matthew F. Caldwell (mattcat_private)
Date: Tue Jul 29 2003 - 12:10:47 PDT

  • Next message: Matt Shirilla: "RE: [logs] PIX logging"

    Marius,
    
    	You can do various things to sort out the Drop/Reject/Accept
    packets from your firewall. Greping (man grep) out the reject/drop
    packets may give you more understanding about who is scanning (or trying
    to compromise) you/your organization. 
    
    Example:
    cat messages |grep deny
    
    
    Say you wanted to see everything BUT deny packets then you might try
    this
    
    Example:
    cat messages |grep -v deny
    
    
    You may also want to keep track of how many packets you are logging a
    day. The "wc" (wc -l works well) command in unix can help with line
    counts.  
    
    Example:
    cat messages |grep deny | wc -l 
    
    By knowing what the "normal" amount of dropped packets are you maybe
    able to determine if someone is doing something odd once you see a large
    amount of drop/deny/reject messages. Even large amounts of accepts could
    indicate that you have a worm in your network. This is called feeling
    out your "baseline". 
    
    
    
    Once you have the data you can do lots of things with it:
    
    - Filter the data
    - apply rules to the data
    - Visualize the data.
    - Correlation the data.
    - Compute Statistical information
    
    I hope this helps and may the force be with you!
    
    Matthew
    
    Matthew F. Caldwell, CISSP
    Founder and CSO
    GuardedNet, Inc
    www.guarded.net
    
    
    -----Original Message-----
    From: Marius Baicoianu [mailto:mbaicoianuat_private] 
    Sent: Tuesday, July 29, 2003 2:28 PM
    To: LogAnalysisat_private
    Subject: [logs] PIX logging
    
    Hi,
    
    I have red your messages in reference with the PIX
    logging and I would like to ask you few things:
    - after you configure syslog and logrotate to log and
    rotate my system logs what do I do next?
    - do you have a easy way to review these logs? scripts
    or procedures? I'am able to have all the PIX logs on a
    syslog server, and I am able to cut them daily, but I
    don't know what I suppose to do next....How can I
    review so much info?
    
    Please help.
    Thanks.
    
    
    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    http://sitebuilder.yahoo.com
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 13:35:31 PDT