Re: [fw-wiz] PIX Logging Analysis

From: Dave Rinker (
Date: 03/05/03

  • Next message: Tim Chettle: "[fw-wiz] Blocking Peer to peer tools"
    From: Dave Rinker <>
    Date: 05 Mar 2003 14:15:55 -0500

    you need people to look at the logs :)

    I use ipaudit-web
    for looking at realtime traffic, snort for IDS behind the FW , modular syslog to log to a mySQL server in addition to flatfile syslog
    on the server.

    The ipaudit is excellent, I just caught a virus flooding UDP port 137
    outbound and squashed it. (unfortunately I can't lock the host up to
    prevent the user from shutting off virus protection at the moment)

    Snort is good but you will get alot of false alarms that if given to
    your customer will cause panic. Which might be a good thing but be sure
    to get paid by the hour not the job, so when they call you can charge
    them. :)

    msyslog has worked really well to examine the logs through a php web
    interface. this will enable you or your customer to see if ports are
    blocked by source or destination and make the appropriate changes.

    the flatfile syslog is good just for your own records. I rotate mine
    daily and gzip them to save on space, later zcat to view them.

    you can give them all sorts of fancy interfaces but you will still have
    to have someone sort through the data. Unless I'm wrong which I hope I
    am and someone on this list gives me/us an alternative. :)

    btw, if you need the dsl config for the pix, post to the list and I'll
    cut and paste mine. both dynamic and static configs. cisco is also
    coming out with a NAT/PAT IPSec pass through in the next version (6.3).
    I'm trying to get the beta now from my rep. to test it.

    best of luck to you.

    On Tue, 2003-03-04 at 20:17, Paul Stewart wrote:
    > HI everyone..
    > I'm new to the list and apologize if I'm asking a dumb question..:)
    > We are looking at deploying Cisco PIX 501's for some smaller customers
    > connected via DSL. Their requests vary from wanting basic information
    > on what we are protecting them from using a PIX right up to one customer
    > who would like real-time or even within a few hours a listing of what
    > all their employees are doing on the Internet.
    > Hopefully someone will tell me that open source solutions exist for
    > Linux.. At least I can hope... At the moment I am syslogging everything
    > back via UDP but what exists to analyize this data?
    > What is everyone using for this purpose? We may find that we will offer
    > them a managed firewall solution and they receive daily email notices on
    > what we have done for them? I'm not sure of the best solution and am
    > open to ideas...:)
    > Thanks,
    > Paul Stewart
    > _______________________________________________
    > firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Tim Chettle: "[fw-wiz] Blocking Peer to peer tools"

    Relevant Pages

    • Re: Audit Account Logon Events, Client IP address incorrect?
      ... Find Account Logon or Logon events in event log ... Find messages of the relevant types in Snort log ... Herb Martin> ... Now I at least have an explanation for the "powers that be">> when they look at the logs. ...
    • Re: Unicode Attack
      ... Your Snort logs will include everything "odd" (as defined by the ... > web server); however, I cannot rule out the possibility of the host ... That server should not be vulnerable to the Unicode URL encoding ...
    • Re: Beginner snort user questions
      ... portsentry would probably work better for you... ... > ess against the machine I set snort on, and sure enough it seems to ... > snort logs. ... > someone is portscanning me looking for vulnerabilities. ...
    • RE: Snort IDS
      ... providing easy to follow instructions on installing the snort product ... There are two ways you can monitor the logs from a web page; ... disable individual rules within the rules file. ... what's hitting their network and at what frequency. ...
    • Re: ssh
      ... choice for the customer. ... IPs for broadband is pure selfishness so they can charge more for those ... I like the logs kept separate, ... Install it and try it out. ...