Re: [logs] firewall logging and rulesets

From: Chris Brenton (cbrenton@private)
Date: Tue Oct 21 2003 - 19:24:59 PDT

  • Next message: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"

    On Tue, 2003-10-21 at 21:23, Tina Bird wrote:
    > but this still sort of depends on your having given the rule a sensible
    > name, right? 
    Absolutely. Kind of like driving a car properly depends on you being
    able to keep it on the road. ;-)
    > that is, it's clear that i've dropped something because it's
    > a kuang2_scan, but if my firewall admin (for instance, me) named a rule
    > something like FTP_internal_external (which i tend to do --
    > prot_source_dest), i have to sort of determine that it was an allow rule
    > based on the fact that it got allowed.
    Yes, or "permitted_outbound_ftp" or what ever works.
    > anyhow, part of the point here is that if you name your rules in a
    > sensible way, you can get the information you need out of the name and not
    > have to worry about making sense of it later. 
    As I said, it does work, but you have to do the prep work ahead of time.
    > here's another question -- does iptables log configuration changes --
    > in particular, ruleset changes -- to syslog? 
    Not that I'm aware of. Its a command line utility, so you could log it
    using any of the usual means, but there is no built in ability. 
    >  if not, does it log them
    > anywhere at all?  if yes, could you please send me some sample data?
    I've never had to do this, but I'm guess you could do something with
    sudo as that would show the complete command including all switches and
    record when it was run.
    > one of the current projects is to collect specific instances of generic
    > events (like dropped/allowed connections, config changes, etc) for
    > categories of devices (firewalls, web servers, etc) and get that all on
    > the loganalysis web site...
    Funny, I was just discussing this over on the Netfilter list. ;-)
    I have a set of log prefixes and a parsing script I use for log review.
    It dramatically decreases the amount of time you have to spend reviewing
    a firewall log. It works best with iptables, but it can be adapted to
    other firewalls. If you would like me to write up something that you
    could post on the site, I would be happy to help out. No tequila bribes
    required. ;-)
    Take care my friend,
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:37:47 PDT