RE: [logs] PIX logging

From: Julio Jaime (jjaime@ticket-accor.com.ar)
Date: Tue Jul 29 2003 - 14:10:17 PDT

  • Next message: Tina Bird: "[logs] Auditing vs. logging"

    Hello dear all,
    
           We are making a threat management tool using many open source tools
    to take PIX's logs. We need  take logs from differents countries.The project
    use, remote logservers on each country to take the logs from routers , IDS ,
    PIX and Webservers. These events are filtered and sended to a central
    logserver. The central logserver made a correlation with these events and
    show the events and the new correlation on Java console.
    
           To take the Pix logs we are using logsnorter, to take the external
    router logs we are using a sthealt rule on IDS and Snort is the IDS.
    
           I send you a snapshot of the Java console and the statistic console.
    
           Today we are using these tool with two countries, and we are thinking
    to implementent on three countries more.
    
           You can see on the statistic snapshot, that on 16hs we have a lot's
    the events. We are testing the solution using nmap.
    
    Best Regards.
    
    PD: I apologize for my poor english.   
    
    
    =======================================
    Julio Jaime
    Americas Zone Security Administrator
    Accor Services - Servicios Ticket S.A.
    Av. Díaz Vélez 4367
    (C1200 AAK) Bs. As. - Argentina
    Tel.:  (54-11) 4909-1375
    Fax.: (54-11) 4909-1394
    jjaimeat_private
    =======================================
    ----------------------------------------------------------------------------
    -------------------------------
    Este mensaje electrónico y todos los archivos adjuntos que contiene son
    confidenciales y se encuentran destinados, exclusivamente, a la persona a
    quien han sido dirigidos. Si ha recibido este mensaje por error, agradecemos
    la inmediata devolución a su emisor. La publicación, el uso, la
    distribución, la impresión o la copia no autorizada de este mensaje y del
    contenido de los archivos adjuntos se encuentran estrictamente prohibidos.
    This e-mail and any files transmitted with it are confidential and intended
    solely for the use of the individual to whom it is addressed. If you have
    received this email in error please send it back to the person that sent it
    to you. Unauthorized publication, use, dissemination, forwarding, printing
    or copying of this email and its associated attachments is strictly
    prohibited.
    Ce message électronique et tous les fichiers attachés qu'il contient sont
    confidentiels et destinés exclusivement à l'usage de la personne à laquelle
    ils sont adressés. Si vous avez reçu ce message par erreur, merci de le
    retourner à son émetteur. La publication, l'usage, la distribution,
    l'impression ou la copie non autorisée de ce message et des attachements
    qu'il contient sont strictement interdits.
    ----------------------------------------------------------------------------
    --------------------------------
    
    
                 
    
    -----Mensaje original-----
    De: Brian Ford [mailto:brfordat_private]
    Enviado el: Martes, 29 de Julio de 2003 05:18 p.m.
    Para: Marius Baicoianu
    CC: LogAnalysisat_private
    Asunto: Re: [logs] PIX logging
    
    
    Marius,
    
    I think you've made a great start.
    
    What I would suggest next would be to ask yourself a few (at least these 
    10) questions about the log data before you.  The first time you do this it 
    could take a day (or more).  But eventually you will be able to do this 
    within 20 minutes.  It often depends on what tools you are comfortable with 
    and use.
    
    Q1: How many log messages were recorded today? (#)  Make a record of that 
    number of a calendar or in a journal.  It is the starting point for your 
    log analysis.
    
    Q2: Is that more or less messages than the day before?  How much more or 
    less (%)?  This helps you figure out if things are normal and running 
    within a set baseline.
    
    Q3: Is that more or less messages than the same day last week?  How much 
    more or less (%)?  This is a check that I do to check to make sure that my 
    baseline doesn't drift too badly.
    
    Q4: Can you explain why for Q2 or Q3?  If you see much more data today in 
    both the day and the week before; you need start asking yourself some more 
    questions like was there a rule that blocked many connections (in PIX v6.3 
    look for message 106023); is someone scanning the Firewall and creating 
    lots of half dead connections (they have associated message numbers too); 
    or do I have the log level set too high.  If you see much less data you 
    need to figure out if something is broken or mis-configured (or if today is 
    the day after a day off or holiday).
    
    Q5:  What is the message breakdown by level?  Lots of web surfing (normal 
    activity) generates lots of level 6 and 7 messages.  That might explain an 
    increase in the number of log messages aggressive surfing).  Or it could be 
    scans (level 3,4,5 messages).  Or bad rules (if I just modified the 
    rules).  Again, establish a baseline of "normal" activity.
    
    Q6: Am I seeing (m)any messages that indicate hardware or configuration 
    issues?  Those would be at the lower levels (1,2,3).  Some people make this 
    Q2 when they first install their PIX until they get used to it.
    
    Q7:  Did you see PIX v6.x Syslog message ID 199002 in the log?  Can you 
    explain why that is in there?
    
    Q8: Are there any new messages that I have not seen before?  if so, why are 
    they there?
    
    Q9:  What is the top denied protocol? How did it get denied?
    
    Q10:  What are the top 5 denied IP addresses?  How did they get denied?
    
    These are just ten of the rules that I talk about and often use.  I have 
    like 30 more solid rules written down somewhere.
    
    Liberty for All,
    
    Brian
    
    
    At 11:27 AM 7/29/2003 -0700, Marius Baicoianu wrote:
    >Hi,
    >
    >I have red your messages in reference with the PIX
    >logging and I would like to ask you few things:
    >- after you configure syslog and logrotate to log and
    >rotate my system logs what do I do next?
    >- do you have a easy way to review these logs? scripts
    >or procedures? I'am able to have all the PIX logs on a
    >syslog server, and I am able to cut them daily, but I
    >don't know what I suppose to do next....How can I
    >review so much info?
    >
    >Please help.
    >Thanks.
    >
    >
    >__________________________________
    >Do you Yahoo!?
    >Yahoo! SiteBuilder - Free, easy-to-use web site design software
    >http://sitebuilder.yahoo.com
    >_______________________________________________
    >LogAnalysis mailing list
    >LogAnalysisat_private
    >http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    
    
    


    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 12:58:54 PDT