RE: [logs] firewall logging and rulesets

From: Hyndman, Scott (scott.hyndman@private)
Date: Thu Oct 23 2003 - 08:10:22 PDT

  • Next message: Brian Ford: "RE: [logs] firewall logging and rulesets"

    Hi Jason,
    	There is a new feature called "syslog by acl entry" introduced in V6.3 which may address this issue for you.  
    >From the release notes
    Syslog by ACL Entry
    This feature allows users to configure a specific Access Control List (ACL) entry with a logging option. When such an option is configured, statistics for each flow that matches the permit or deny conditions of the ACL entry are logged. 
    To configure the log option in the access-list command on the PIX Firewall, refer to "Logging Access Control List Activity " in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for these new commands, refer to the Cisco PIX Firewall Command Reference. 
    -----Original Message-----
    From: Jason Haar [mailto:Jason.Haar@private]
    Sent: Wednesday, October 22, 2003 11:29 PM
    To: loganalysis@private
    Subject: Re: [logs] firewall logging and rulesets
    On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote:
    > The other thing we did is to allow the suppression of messages based on the 
    > ID.  So if you don't like the "Built Dynamic Translation" message you can 
    > make it so your PIX never emits that message again.  And when I say never I 
    > mean until you take that line out of the configuration.  But it does 
    I don't want to turn this into a PIX-thread - but I will :-)
    This feature isn't as great as it seems. To be honest, the PIX still has a
    ways to go before its ACL support is as good as IOS. Why? Because under IOS
    you can tell an *individual* ACL whether it's going to log or not. Under the
    PIX, all you can do is log, or block logging on a "message number" - you
    can't get any finer grained.
    e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows
    is TERRIBLE at promiscuously throwing packets about. There is so much that
    it is causing nothing but grief on our security loggers - so I want to
    disable them. They come under rule %PIX-4-106023 - but if I disable that, I
    also lose logging of internal hosts connecting to anything else -
    such as port 135 - which implies BLASTER. 
    I don't want to miss seeing that, so I can't block %PIX-4-106023... :-(
    Jason Haar
    Information Security Manager, Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
    LogAnalysis mailing list
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:25:43 PDT