Re: [fw-wiz] PIX Logging Analysis
From: Dave Rinker (firstname.lastname@example.org)
From: Dave Rinker <email@example.com> To: firstname.lastname@example.org Date: 05 Mar 2003 14:15:55 -0500
you need people to look at the logs :)
I use ipaudit-web http://ipaudit.sourceforge.net/ipaudit-web/
for looking at realtime traffic, snort for IDS behind the FW
http://www.snort.org/ , modular syslog to log to a mySQL server
http://sourceforge.net/projects/msyslog/ in addition to flatfile syslog
on the server.
The ipaudit is excellent, I just caught a virus flooding UDP port 137
outbound and squashed it. (unfortunately I can't lock the host up to
prevent the user from shutting off virus protection at the moment)
Snort is good but you will get alot of false alarms that if given to
your customer will cause panic. Which might be a good thing but be sure
to get paid by the hour not the job, so when they call you can charge
msyslog has worked really well to examine the logs through a php web
interface. this will enable you or your customer to see if ports are
blocked by source or destination and make the appropriate changes.
the flatfile syslog is good just for your own records. I rotate mine
daily and gzip them to save on space, later zcat to view them.
you can give them all sorts of fancy interfaces but you will still have
to have someone sort through the data. Unless I'm wrong which I hope I
am and someone on this list gives me/us an alternative. :)
btw, if you need the dsl config for the pix, post to the list and I'll
cut and paste mine. both dynamic and static configs. cisco is also
coming out with a NAT/PAT IPSec pass through in the next version (6.3).
I'm trying to get the beta now from my rep. to test it.
best of luck to you.
On Tue, 2003-03-04 at 20:17, Paul Stewart wrote:
> HI everyone..
> I'm new to the list and apologize if I'm asking a dumb question..:)
> We are looking at deploying Cisco PIX 501's for some smaller customers
> connected via DSL. Their requests vary from wanting basic information
> on what we are protecting them from using a PIX right up to one customer
> who would like real-time or even within a few hours a listing of what
> all their employees are doing on the Internet.
> Hopefully someone will tell me that open source solutions exist for
> Linux.. At least I can hope... At the moment I am syslogging everything
> back via UDP but what exists to analyize this data?
> What is everyone using for this purpose? We may find that we will offer
> them a managed firewall solution and they receive daily email notices on
> what we have done for them? I'm not sure of the best solution and am
> open to ideas...:)
> Paul Stewart
> firewall-wizards mailing list
firewall-wizards mailing list