Results 1 to 7 of 7

Thread: firewall logging

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325

    firewall logging

    This question probably has an obvious answer... and it is probably different based on personal preference.

    I've been looking at logs quite frequently to see what hits my firewall. There are tons of repeat attempts (most likely worms) that hit the same ports. Does it really matter if you log them or not?

    For instance... port 445. This fills my logs with crap. Should I just create a separate firewall rule and not log it? Right now my firewall consists of mostly the catchall rule. I have some custom entries... but for the most part... most of my log is filled by the catch all rule. Is there any real reason for me to log the repeat attempts? I know its not allowing the attempt....

    This is just for my home network. Most of the time my daily logs don't excede 1MB, so its not that big of deal. Its just annoying when I'm reviewing logs to see the same stuff all the time.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    umm a good question. But think, one day something might happen where that specfic port was used and now you don't know anything cause you told it to log nothing! Maybe make a rule that will put those port like-events in another folder/section but if its different have it put where it should be?!? If I sound high or distorted please tell be because I'm about to clapse on my keyboard, sorry lol. I hate insomnia !

  3. #3
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    phishphreek80,
    I'm not sure what firewall you use but, with Outpost Pro you can create filters to better organize the traffic. Pro (by default) has a nice setup for the detailed logs it keeps. For example, there's one filter that's called "NetBios History" which places any and all NetBios connection attempts/scans into a specific location. Again, I don't know what firewall you use but, maybe you could create some filters for your logs?
    I tend to keep full logs only because the Attack Detection plug-in on Pro doesn't breakdown each attack/scan/connection outright. With the logs, I can get much more detailed information. So, to answer your question, yes. It is important (imo) to keep logs not matter how redundant the information may be.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I'm using a Cisco router as my border firewall which is logged to a kiwi syslogd server.
    Its not all that flexible...

    I can create a script that will exclude certain events from my "reports"...
    Maybe that would be a better solution.

    I have sofware firewalls that will organize alerts... but thats inside my LAN. If I didn't create the alert... it won't be there. I have yet to see anything other than a false positive on my internal LAN. Unless I created it.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    An edge firewall or router will see sasser type of traffic on 445 all day.
    I log everything and rotate often. Kiwi should rotate and compress your logs which
    take up very little space after compressed.
    I like to keep logs and archive them but if you not protecting much, no real reason to keep.

    Cheers,

    SGS

  6. #6
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    Kiwi will let you set up rules to filter incoming logs before parsing them out to an actual log file. Why not just do that?

    I, for one, have never really seen the need to be a freak when it comes to firewall logs for most networks. If your firewall is logging the incident, that means it blocked it. What more action would you as a user take? Hunt down the perp assuming it's not an automated attempt? I think not. If hackers do manage to get through, that means they bypassed the firewall, and nothing would be logged anyway...

    Outside of larger networks, or military and gov networks, most of these logs are useless anyway except for curiosity's sake.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Outside of larger networks, or military and gov networks, most of these logs are useless anyway except for curiosity's sake.
    I don't agree with your conclusion here JP. I agree with the premise that on a day to day basis 99.9% of all logs are a waste of disk space. However, without the logs then when something does happen you are blind unless you are a forensics expert and can afford to bring down a network while you determine what happened.

    Of course, this also depends on what you log. Only logging "Blocked Inbound" is a waste of time, as you alluded to. But if all traffic attempting to pass through the firewall, be it allowed or denied, accompanied by proper ingress and egress rules can give a very clear picture of which systems may be affected and which may not be. It helps in the prioritization of the response which, especially in business, means time and therefore money.

    If you can go further and centralize different logging systems such as firewall, IDS, Event Logs, Web logs, mail logs all into a single log file then you can develop a very accurate picture of what occured in any given situation with regard to network traffic.

    IMO, there is no substitute for a thorough, centralized logging policy that, of course, is properly secured.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •