RE: [logs] firewall logging and rulesets

From: Jørgen Hoffmeister (jorgen@private)
Date: Wed Oct 22 2003 - 21:59:17 PDT

  • Next message: Rainer Gerhards: "Re: [logs] firewall logging and rulesets"

    Hi Jason and all
    On PIX Ver. 6.33 you are able to set logging on for your acls. All deny's og
    Permit's by the ACL will be transmitted via event 106100 . You can also set
    an interval for how many loglines
    for the specific ACL. The same way as on the IOS.
    The way the PIX can suppress an event, that’s cool, but if you are going to
    use it for forensics you have to have all the logging set to debug. It's
    fine to get annoying events away from realtime logging.
    I have build my own Syslog server, where I suppress which log events at the
    syslog server. I don't want to use geature that the PIX gives me, because I
    have to track all the events, to make shure, for example to get the
    statistics for a connection I have to analyze the Trasaltion event, the
    Connection event and the Teardown event, to have all the information about
    the source and destion and how many bytes transferred. After that I can log
    It to the Database.  
    I have been working with the PIX for a couple of years now, and the way that
    the PIX is logging, what I think, it is by far the best on the market.
    Checkpoint Firewall's logging capabilities are really bad because it is so
    undocumented af a mess.
    To Brian at Cisco : The way that PIX handles to send syslog events via TCP.
    When the PIX can't se the syslog server by the third retry, then it stops
    sending syslog messages. Why have you not set up a retry connection, by
    every  x minutes to retry sending syslog messages again. It could be
    usefull. In older versions of the PIX Software it didn't care about that I
    could'nt connect to the syslog sesrver via TCP.
    Jorgen Hoffmeister
    -----Original Message-----
    [] On Behalf
    Of Jason Haar
    Sent: 23. oktober 2003 05:29
    To: loganalysis@private
    Subject: Re: [logs] firewall logging and rulesets
    On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote:
    > The other thing we did is to allow the suppression of messages based 
    > on the ID.  So if you don't like the "Built Dynamic Translation" 
    > message you can make it so your PIX never emits that message again.  
    > And when I say never I mean until you take that line out of the 
    > configuration.  But it does
    I don't want to turn this into a PIX-thread - but I will :-)
    This feature isn't as great as it seems. To be honest, the PIX still has a
    ways to go before its ACL support is as good as IOS. Why? Because under IOS
    you can tell an *individual* ACL whether it's going to log or not. Under the
    PIX, all you can do is log, or block logging on a "message number" - you
    can't get any finer grained.
    e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows
    is TERRIBLE at promiscuously throwing packets about. There is so much that
    it is causing nothing but grief on our security loggers - so I want to
    disable them. They come under rule %PIX-4-106023 - but if I disable that, I
    also lose logging of internal hosts connecting to anything else - such as
    port 135 - which implies BLASTER. 
    I don't want to miss seeing that, so I can't block %PIX-4-106023... :-(
    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6
    CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    LogAnalysis mailing list
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:14:54 PDT