|
-
June 11th, 2006, 07:37 AM
#1
Junior Member
firewall log analysis
i post on behalf of my colleagues
Hello All..
Firstly i hope that i post in the right section.
Currently one of my responsibilities is doing some firewall log analysis for my company. Since i was new in this related field, i can't examine it in the right way. Now i refer to http://www.honeynet.org/scans/scan30...this%5b/url%5d site and also http://www.dshield.com/%5d%5bcolor=r...5d%5b/color%5d site for my analysis. If u guys knows other website, maybe a good one for me to refer, please do share it with me. Thanks.
-
June 11th, 2006, 09:30 AM
#2
First off, your links are dead ....
The actual linked sites didn't work either.
Did you mean SotM #30 Write-up by Anton Chuvakin, netForensics Honeynet version 0.2 ?
( I can not decipher the dshield link. )
Second, what are you looking for ??
To analyze logs ( in this case specifically firewall logs ) you need to know several things ( prerequisite ):
1) you have to know your firewall and your firewall rules.
If you don't know what is allowed and what is not you are pissing into the wind; the same holds true if you don't know all that follows. You also have to know what format your logs are in before you can interpret them. For this you will have to consult the appropriate documentation for the particular firewall. ( You did not specify what firewall you are looking at. )
2) you have to know what is logged.
Not everything on every firewall is logged. Firewalls can be set to log nothing, log everything, or anywhere in between. You have to know what exactly is logged, and why. Your specific rules may or may not be sufficient.
3) you have to know your network.
Only what is needed on the network may be allowed to pass the firewall, and only to the destination(s) that need it. Are you using strictly TCP/IP, are you using ATM, VPNs, etc. Do you have public and/or private web pages available? Do you run ssh for remote login, and if so, from where is it allowed, and to where is it allowed? Do you have remote clients that need to connect to an Intranet? Do you run a time server? Do you run an FTP server or CVS repository? How about an RSS feed? Do you allow chat clients? Do you run your own chat server? Who exactly is allowed to access each particular service, and from where? Is bandwidth throttled?
The above only touches the surface, but if you don't know those answers then you have no business analyzing any firewall log.
If you do know those answers, maybe providing some of them could help others examine and interpret the logs, or perhaps they could recommend a few books or links, or you could search the site for past recommendations, but without more info it is hard to know where to direct you.
You being a member since 2001, I would think you would know to provide more info. What's the deal with that? I read your past posts, it appears you know more then you are letting on ( waiter ... with IDS knowledge? ); maybe this is a member under another identity trying to boost security threads?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
June 11th, 2006, 04:06 PM
#3
kevler,
Excuse me if I'm wrong, but it would appear that you are using “Honeynet's Archived Challenges” as comparisions for your logs. The link that works is Here. The one inpartiticular you listed was “Scan3”, an nmap scan for IP types. Not a bad idea to pick up some educational information, but those archives are from 2000 -2001. That seems kinda dated for real time comparisions. The information IKnowNot provided is of great value concerning log analysis.
I ususally don't hurl and two-block the “Google Pennant” on the Port Yardarm (see note below) when folks ask for sites or assistance, however in this case it's appropriate. Since in the interm you will need to make the selection of which one(s) you use/like, so set the lookouts and enter:
automated firewall analyzer
into a search bar and you will be provided with a multitude of programs and sites.
cheers
***Note: The Port Yardarm was selected because this morning I am moored Port Side to the dock after a long night and that Yard is facing the approaching sand peeps. This enables them to recognize that the “Google Pennant” is aloft.
Bos'n, pipe “Sweepers” this place looks like the innards of a whale's stomach.
Connection refused, try again later.
-
June 12th, 2006, 12:25 PM
#4
Junior Member
kevler post on behalf of me..
Here is my reference site :
1. honeynet
2. Robert graham's firewall analysis article
3. Here if I want to know services and sometimes viruses or exploit regarding to particular port.
All traffic that I've been analyst is already being dropped. Just to know what the pattern or what hacker out there looking at our site. Just like what Anton Chuvakin did(refer to reference 1).
All I saw in the firewall logs is source IP, destination IP, and port number. For example, if there's one source looking into some range of IP, I categorized it as host scanning. So if u guys knows better or knows other good site for me to refer at, please do share it with me..
-
June 12th, 2006, 01:18 PM
#5
You can't really tell what's going on if you only know the source and destination IPs and ports. That's the rather "unfortunate" side-effect of having a firewall. If you really want to know what they're up to you're going to have to analyze a "full" connection. Probabaly not a good idea to allow this on a production environment.
Dshield does show certain 'popular' ports for any given period but whether a scan on port 139 i.e. is due to worm A or worm B is nearly impossible to tell without allowing the connection to proceed and you get to gather additional information. But again I highly advize not to allow this in a production environmont for the simple reason that you might bite off more then you can chew..
Just write off all the blocked traffic on you firewall. Create statistics if you like that sort of stuff (your boss might like those graphs  ). It's not really interesting info.. It's blocked and that's all you should verify.
The real theat is in the traffic you actually allow through your firewall.
NB Portscans are a fact of (Internet) life these days. I wouldn't worry about them to much. As long as your firewall is detecting and blocking those you'll be fine
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 12th, 2006, 01:46 PM
#6
I really dig the oyster and clam speak. I think it is a good idea like IKnowNot said, to weigh anchor before beginning any dive. There are dangers swimming haphazardly in uncharted waters. You may think you're seeking buried treasure when in fact the Captain is just looking for someone to walk the plank and rake through the keel for his/her own inadequate seamanship.
Application logs are also very helpful too as a comparison to the actual firewall. Your Intrusion and Extrusion detection engines also provide meaningful and collaborative information.
In time and after you've developed some familiarity with what is normal traffic, you can build some simple analysis scripts which will identify the unusual in a heartbeat. Mulling through logs is bad for the eyes, why not let the tools do the work for you?
***Note: The Port Yardarm was selected because this morning I am moored Port Side to the dock after a long night and that Yard is facing the approaching sand peeps. This enables them to recognize that the “Google Pennant” is aloft.
Moor like pebbles in the sand or in your shoe. And probably not a pennant. Moor like penance or perchance moor precisely "Guge Penchant." Just a thought liken to Jonah's surprise enroute to Ninevah.
Eating Crow Is Better With MyCrowSauce
-
June 13th, 2006, 01:06 AM
#7
Junior Member
I can't use automated tools due to limited budget my company has.
What I'm doing now is:
- if external host targetting our IP address using port TCP 1433 or UDP 1434, I categorized it as worm activities (slammer worm)
-ICMP packets - false alarm.
-If traffic coming from internal to internal or internal to external, I put it as traffic anomalies.
-I also used Domain Dossier to check the source IP. Sometimes its reverse query (response from external network to internal network) since Domain Dosier provide service scan and DNS record scans through web.
-External host targetting internal using port TCP 139, TCP 445, TCP 135, TCP 3127 - I group it as worm activities (Sasser use TCP 139 and TCP 445, TCP 3127 (Novark), TCP 135 (Blaster))
-Most of the rest is scanning from internet.
I know what I'm doing now is lousy, but this is the only way to do it. Advice from u guys on this matter would be so much appreciated.
-
June 13th, 2006, 12:38 PM
#8
Originally posted here by kitaserupa2000
I can't use automated tools due to limited budget my company has.
If your firewall produces syslog or some other text version of the logs learn Perl.. Then you can create a script that'll analyze your logs.. Just sit back, let the computer do your job and enjoy the results.. Remember, computers were created to automate dull and tedious jobs
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 14th, 2006, 02:26 PM
#9
Junior Member
There's no text log.
Actually I'm using correlation engine. 3 firewall+3 NIDS+2 HIDS push into 1 correlation engine. Alert from IDS will show the alert message while the firewall log will show event's time, source port, destination port, source IP and destination IP.
For the time being, i'm stick with what I'm doing..doing all analyzing manually. That's why I'm looking for how to's like my previous list.
-
July 7th, 2006, 07:33 AM
#10
Junior Member
Build vs Buy
Guys,
Just go buy Firewall Analyzer (www.fwanalyzer.com). Saves you money & saves you time
SysLog
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
