Re: [logs] firewall logging and rulesets

• Previous message: Bill Mathews: "Re: [logs] firewall logging and rulesets"
• In reply to: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Next in thread: Terence Runge: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2003-10-21 at 21:23, Tina Bird wrote:
>
> but this still sort of depends on your having given the rule a sensible
> name, right? 

Absolutely. Kind of like driving a car properly depends on you being
able to keep it on the road. ;-)

> that is, it's clear that i've dropped something because it's
> a kuang2_scan, but if my firewall admin (for instance, me) named a rule
> something like FTP_internal_external (which i tend to do --
> prot_source_dest), i have to sort of determine that it was an allow rule
> based on the fact that it got allowed.

Yes, or "permitted_outbound_ftp" or what ever works.

> anyhow, part of the point here is that if you name your rules in a
> sensible way, you can get the information you need out of the name and not
> have to worry about making sense of it later. 

As I said, it does work, but you have to do the prep work ahead of time.

> here's another question -- does iptables log configuration changes --
> in particular, ruleset changes -- to syslog? 

Not that I'm aware of. Its a command line utility, so you could log it
using any of the usual means, but there is no built in ability. 

>  if not, does it log them
> anywhere at all?  if yes, could you please send me some sample data?

I've never had to do this, but I'm guess you could do something with
sudo as that would show the complete command including all switches and
record when it was run.

> one of the current projects is to collect specific instances of generic
> events (like dropped/allowed connections, config changes, etc) for
> categories of devices (firewalls, web servers, etc) and get that all on
> the loganalysis web site...

Funny, I was just discussing this over on the Netfilter list. ;-)

I have a set of log prefixes and a parsing script I use for log review.
It dramatically decreases the amount of time you have to spend reviewing
a firewall log. It works best with iptables, but it can be adapted to
other firewalls. If you would like me to write up something that you
could post on the site, I would be happy to help out. No tequila bribes
required. ;-)

Take care my friend,
C


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Eric Fitzgerald: "RE: [logs] Monitoring Windows Security Events"
• Previous message: Bill Mathews: "Re: [logs] firewall logging and rulesets"
• In reply to: Tina Bird: "Re: [logs] firewall logging and rulesets"
• Next in thread: Terence Runge: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 22 2003 - 01:37:47 PDT