RE: [logs] firewall logging and rulesets

• Previous message: Brian Ford: "Re: [logs] firewall logging and rulesets"
• Maybe in reply to: Tina Bird: "[logs] firewall logging and rulesets"
• Next in thread: Brian Ford: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Jason,

	There is a new feature called "syslog by acl entry" introduced in V6.3 which may address this issue for you.  

>From the release notes

Syslog by ACL Entry
This feature allows users to configure a specific Access Control List (ACL) entry with a logging option. When such an option is configured, statistics for each flow that matches the permit or deny conditions of the ACL entry are logged. 

To configure the log option in the access-list command on the PIX Firewall, refer to "Logging Access Control List Activity " in the Cisco PIX Firewall and VPN Configuration Guide. For a complete description of the command syntax for these new commands, refer to the Cisco PIX Firewall Command Reference. 
 

regards,
Scott

-----Original Message-----
From: Jason Haar [mailto:Jason.Haar@private]
Sent: Wednesday, October 22, 2003 11:29 PM
To: loganalysis@private
Subject: Re: [logs] firewall logging and rulesets


On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote:
> The other thing we did is to allow the suppression of messages based on the 
> ID.  So if you don't like the "Built Dynamic Translation" message you can 
> make it so your PIX never emits that message again.  And when I say never I 
> mean until you take that line out of the configuration.  But it does 

I don't want to turn this into a PIX-thread - but I will :-)

This feature isn't as great as it seems. To be honest, the PIX still has a
ways to go before its ACL support is as good as IOS. Why? Because under IOS
you can tell an *individual* ACL whether it's going to log or not. Under the
PIX, all you can do is log, or block logging on a "message number" - you
can't get any finer grained.

e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows
is TERRIBLE at promiscuously throwing packets about. There is so much that
it is causing nothing but grief on our security loggers - so I want to
disable them. They come under rule %PIX-4-106023 - but if I disable that, I
also lose logging of internal hosts connecting to anything else -
such as port 135 - which implies BLASTER. 

I don't want to miss seeing that, so I can't block %PIX-4-106023... :-(


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Brian Ford: "RE: [logs] firewall logging and rulesets"
• Previous message: Brian Ford: "Re: [logs] firewall logging and rulesets"
• Maybe in reply to: Tina Bird: "[logs] firewall logging and rulesets"
• Next in thread: Brian Ford: "Re: [logs] firewall logging and rulesets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:25:43 PDT