Re: [logs] firewall logging and rulesets

From: Raffael Marty (raffael.marty@private)
Date: Fri Oct 24 2003 - 16:12:50 PDT

  • Next message: Bill Mathews: "Re: [logs] firewall logging and rulesets"

    Brian,
    
    Interesting answers. Some comments of mine inline:
    
    > When you said "Host OS messages as applicable"; the way I interpret that is 
    > there are three buckets into which I throw messages.  Messages that are 
    > issued as part of the normal operation go in one bucket.  Messages that are 
    > issued irregularly when defined things happen go into another bucket.   And 
    > then there are messages that signal a problem that go into a "red" 
    > bucket.  So for my three "buckets" I do this:
    
    Does the PIX actually indicate these buckets (or similar ones) in the events? 
    Could I use the event-id ranges for that? Or is that a feature which will be added
    in a future release? 
    
    > - I like to count the normal operations messages and make sure that I 
    > create some baseline (between x-y per hour or y-z per day).  This baseline 
    > is a kind of load gauge for the device.
    
    Good point. Now you just need the tool to do this. 
    
    > - The "irregular" messages usually require correlation with other 
    > conditions or events.  If someone were auditing what I was doing they would 
    > ask about those.  I should have an explanation.  How often I do that 
    > depends on what I can get away with (audit interval).
    
    For this you normally need some more context information; basically the
    capability to correlate with other event sources!
    
    > Most of the time I talk to people about this they ask me to tell them about 
    > "events".    Analyzing log data I can put most people to sleep telling you 
    > about this, that, and the other events.  The challenge here is for someone 
    > to come up with a really good list of events that we should tell everyone 
    > about.  The ICSA Firewall program folks have done a decent job of heading 
    > down that road.
    
    I can try to be the "someone to come up with a [really good?] list":
    Tell me everything the firewall does! That's all I want! Then assign a
    severity to the events and let me decide which ones I wanna look at.
    Only if I see all the events, I can draw myself an adequate picture of
    what is happening across my network. 
    
    A different issue as a remark on the side: 
    
    I get kind of frustrated with the log formats people use. Including PIX.
    Why can't you stick to a uniform format? Maybe having a handfull of
    different formats. Just something that is parseable easily enough?! In
    the PIX events the source IP is sometimes at the beginning, then in the
    middle of the event, ... This makes it really hard to parse the events
    and analyze them! Not that it is not possible, but makes things more
    time consuming and error prone!
    
    	Thanks
    
    	- Raffy
    
    -- 
    
    Raffael Marty, CISSP                          
    Security Engineer                           Content Team @ ArcSight Inc.
    1309 South Mary Ave.                                 Sunnyvale, CA 94087
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 16:18:39 PDT