Re: [fw-wiz] PIX Logging Analysis

From: Dave Rinker (firewall@dsrtech.com)
Date: 03/05/03

  • Next message: Tim Chettle: "[fw-wiz] Blocking Peer to peer tools"
    From: Dave Rinker <firewall@dsrtech.com>
    To: firewall-wizards@honor.icsalabs.com
    Date: 05 Mar 2003 14:15:55 -0500
    

    you need people to look at the logs :)

    I use ipaudit-web http://ipaudit.sourceforge.net/ipaudit-web/
    for looking at realtime traffic, snort for IDS behind the FW
    http://www.snort.org/ , modular syslog to log to a mySQL server
    http://sourceforge.net/projects/msyslog/ in addition to flatfile syslog
    on the server.

    The ipaudit is excellent, I just caught a virus flooding UDP port 137
    outbound and squashed it. (unfortunately I can't lock the host up to
    prevent the user from shutting off virus protection at the moment)

    Snort is good but you will get alot of false alarms that if given to
    your customer will cause panic. Which might be a good thing but be sure
    to get paid by the hour not the job, so when they call you can charge
    them. :)

    msyslog has worked really well to examine the logs through a php web
    interface. this will enable you or your customer to see if ports are
    blocked by source or destination and make the appropriate changes.

    the flatfile syslog is good just for your own records. I rotate mine
    daily and gzip them to save on space, later zcat to view them.

    you can give them all sorts of fancy interfaces but you will still have
    to have someone sort through the data. Unless I'm wrong which I hope I
    am and someone on this list gives me/us an alternative. :)

    btw, if you need the dsl config for the pix, post to the list and I'll
    cut and paste mine. both dynamic and static configs. cisco is also
    coming out with a NAT/PAT IPSec pass through in the next version (6.3).
    I'm trying to get the beta now from my rep. to test it.

    best of luck to you.

    On Tue, 2003-03-04 at 20:17, Paul Stewart wrote:
    > HI everyone..
    >
    > I'm new to the list and apologize if I'm asking a dumb question..:)
    >
    > We are looking at deploying Cisco PIX 501's for some smaller customers
    > connected via DSL. Their requests vary from wanting basic information
    > on what we are protecting them from using a PIX right up to one customer
    > who would like real-time or even within a few hours a listing of what
    > all their employees are doing on the Internet.
    >
    > Hopefully someone will tell me that open source solutions exist for
    > Linux.. At least I can hope... At the moment I am syslogging everything
    > back via UDP but what exists to analyize this data?
    >
    > What is everyone using for this purpose? We may find that we will offer
    > them a managed firewall solution and they receive daily email notices on
    > what we have done for them? I'm not sure of the best solution and am
    > open to ideas...:)
    >
    > Thanks,
    >
    > Paul Stewart
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Tim Chettle: "[fw-wiz] Blocking Peer to peer tools"