Results 1 to 8 of 8

Thread: Firewall log example?

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    140

    Firewall log example?

    Here is just a snipit of my firewall logs from Kiwi sys logger.

    My boss wants me reviewing these logs daily. What exaclty should I be looking for? what shoudl pop out as a red flag? there will always be a lot of "deny" right? what about "Deny inbound" shoudl i be looking closely at those lines?

    right now i am just having Kiwi go to a .txt file. is there something better i should be exporting to?







    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Re: Firewall log example?

    Originally posted here by Jason1977
    Here is just a snipit of my firewall logs from Kiwi sys logger.

    My boss wants me reviewing these logs daily. What exaclty should I be looking for? what shoudl pop out as a red flag?
    What definitely pops up as a red flag is the fact you're posting this information on a public forum for the whole world to enjoy. I don't think your boss would like that.

    But a few of the ones I definitely would checkout are those outbound IRC connections (port 6667). This could indicate a trojan infection on your network.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    I agree with SirDice, it is not wise to publish logs without at least masking your IP address (even notepad has find/replase feature)

    I am not in position to give you much information but I can give you some leads.

    First, you have to learn what port is used for what.
    here you can find list of ports used by aplicatons and known troyans
    http://lists.gpick.com/portlist/portlist.htm

    then you should check if you have any trafic on ports that shouldn't been opened

    Inbound traffic is what is coming from outside. It could reveal possible attack or scan (one IP is trieng to connect on multiple ports usualy mean that someone is scaning for opened ports)

    Outbound traffic is what is coming out of your box. It could reveal possible troyan.

    Other maybie can give you more tips...
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  4. #4
    Senior Member
    Join Date
    May 2004
    Posts
    140
    since they are all internal addresses i didnt think it to be a risk...
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If you sanitized it and re-posted it maybe we could help you out a little.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by Jason1977
    since they are all internal addresses i didnt think it to be a risk...
    If you look closely at one of the inbound log lines you'll notice your external (internet) addresses.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Here is a better idea. Go get some firewall training. It is *impossible* for you to figure out what is a threat to your invironment if you don't understand what a threat looks like. Sure, people here can tell you to look for one or two easily seen threats but there are thousands and thousands more.

    I certainly wouldn't want someone attempting to fly a plane without proper training, why would someone in a management position want a person with no clue (sorry) watching the perimeter or the business network?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member
    Join Date
    May 2004
    Posts
    140
    So you think the company said hey Jason go get some traning and I said. NO!
    If I could get traning I would.
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •