-
February 21st, 2005, 04:39 PM
#1
Senior Member
Firewall log example?
Here is just a snipit of my firewall logs from Kiwi sys logger.
My boss wants me reviewing these logs daily. What exaclty should I be looking for? what shoudl pop out as a red flag? there will always be a lot of "deny" right? what about "Deny inbound" shoudl i be looking closely at those lines?
right now i am just having Kiwi go to a .txt file. is there something better i should be exporting to?
Romans 7:14-20
14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.
-
February 21st, 2005, 05:08 PM
#2
Re: Firewall log example?
Originally posted here by Jason1977
Here is just a snipit of my firewall logs from Kiwi sys logger.
My boss wants me reviewing these logs daily. What exaclty should I be looking for? what shoudl pop out as a red flag?
What definitely pops up as a red flag is the fact you're posting this information on a public forum for the whole world to enjoy. I don't think your boss would like that.
But a few of the ones I definitely would checkout are those outbound IRC connections (port 6667). This could indicate a trojan infection on your network.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 21st, 2005, 05:39 PM
#3
Senior Member
I agree with SirDice, it is not wise to publish logs without at least masking your IP address (even notepad has find/replase feature)
I am not in position to give you much information but I can give you some leads.
First, you have to learn what port is used for what.
here you can find list of ports used by aplicatons and known troyans
http://lists.gpick.com/portlist/portlist.htm
then you should check if you have any trafic on ports that shouldn't been opened
Inbound traffic is what is coming from outside. It could reveal possible attack or scan (one IP is trieng to connect on multiple ports usualy mean that someone is scaning for opened ports)
Outbound traffic is what is coming out of your box. It could reveal possible troyan.
Other maybie can give you more tips...
Ikalo
------
Make your knowledge your deadliest weapon.
-
February 21st, 2005, 06:04 PM
#4
Senior Member
since they are all internal addresses i didnt think it to be a risk...
Romans 7:14-20
14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.
-
February 21st, 2005, 10:50 PM
#5
If you sanitized it and re-posted it maybe we could help you out a little.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 22nd, 2005, 10:30 AM
#6
Originally posted here by Jason1977
since they are all internal addresses i didnt think it to be a risk...
If you look closely at one of the inbound log lines you'll notice your external (internet) addresses.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 22nd, 2005, 12:45 PM
#7
Here is a better idea. Go get some firewall training. It is *impossible* for you to figure out what is a threat to your invironment if you don't understand what a threat looks like. Sure, people here can tell you to look for one or two easily seen threats but there are thousands and thousands more.
I certainly wouldn't want someone attempting to fly a plane without proper training, why would someone in a management position want a person with no clue (sorry) watching the perimeter or the business network?
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
February 23rd, 2005, 04:31 PM
#8
Senior Member
So you think the company said hey Jason go get some traning and I said. NO!
If I could get traning I would.
Romans 7:14-20
14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|