Pen Testing..

[Jason1977]

We are about to have someone do some external pen testing. i know its this week but my boss wants me to monitor activity on the firewall and syslogs and such. he wants me to discover the activity and come to him with it. I am obvioulsy still in traning on this stuff and would really appreciate anyones advice on what i should be looking for and where i can find this info? where are sys logs typicaly located?

[NemorY]

where are sys logs typicaly located?

Control Panel-> Administrative Services - > Event Viewer. If you mean those,

the firewall logs can be usualy found in the firewall folder, and the firewall action history can also be usualy viewd from the firewall itself !

[thread_killer]

What kind of firewalls are you using?

I really only would call myself really proficient with the PIX. But it's not that hard to do.

Rather than type out the instructions, you can look it up here.

As far as what you should be looking for...look for ip/port/ping scans coming in from the outside. Honestly, if you know what addresses you have that should be talking, and what direction they should be talking, you should identify it pretty easily.

Common ports that people will try to exploit include (but are not limited to) 21, 22, 23, 25, 80, 110, 135, 136, 137 ,138, 139, 443, and 445,. I also see traffic directed at 5190 (AIM port) and 8080 (commonly used by a bunch of stuff). Another trick they might use is sourcing their port from a diffrent service. So if you see say....an rlogin connection attempted on the smtp port, something is amiss.

[Jason1977]

Thank you guys. it is a pix.
I know where event view is and how to view those logs i guess i just dont knwo what i am looking at. but mor eon the lines of the firewall i dotn knwo what to lopok for and dont knwo where the sys logs get stored so i can look at them. I access the firewall through a GUI via HTTPS and the IP.

[AngelicKnight]

What firewall do you use Jason? We can probably give you a more specific answer if we know which one you're using.

/edit -- PIX, not familiar with that one, but ThreadKiller has the right advice. Watch for those log events he described in the PIX's log. Also, make sure you're blocking all incoming traffic from the outside, except for trusted sources, of course.

You won't find much network security related in the event log (correct me if I'm wrong guys) because it pertains to logging errors within the computer, but you do need to make sure security auditing is active. That will log failed password attempts and other important events.

[thread_killer]

Actually AngelicKnight you can log every single packet that passes through the pix. I export mine to a slackware 8.0 box where cron jobs run scripts against those logs and migrate it off-box to a machine in my office. Then more scripts parse that info against the Snort logs for interesting traffic. If something really weird is in there, I get an E-mail.

Knowing what you're looking for though, that is the trick of it.

[faith_in_death]

i think you should e listening for conections in uncommon hours.....tcp conections to ports that aren't used by your compani....the load of the network...versus THE RAL LOAD OF THE NETWORK(what services are been used...stuff like that...)also unsuccesesfull logins...form inside the fariweall as from outside.....if you need specific help....em mail me.....faith_in_death ARROBA hotmail DOT com

[Jason1977]

we have webtrands but i dont know how it works

[DjM]

Do you mean Webtrends Firewall Suite? If so, it's good for preparing reports on your firewall activity, but that is after the fact. You need something more 'real time'. Do you have any intrusion detection systems installed (e.g. snort)?

Cheers:

[faith_in_death]

if i where you...i'll isntall some sniffer on the ipnputs....etherals is just great...but if you don't configure it well...you'll get tons of garbage.....also..check treh proxy for options to monitoring....