RE: [fw-wiz] Log checking?

• Previous message: Adrian Grigorof: "Re: [fw-wiz] Log checking?"
• In reply to: Paul D. Robertson: "RE: [fw-wiz] Log checking?"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <firewall-wizards@honor.icsalabs.com>
Date: Wed, 29 Sep 2004 11:58:13 +0200

I think there is some mileage to be had in logging the volume of denied
outbound traffic over time. Spikes in things like IRC, HTTP to funny ports,
TFTP etc can be great indicators of infection with various kinds of malware.
And of course all that stuff would already be blocked outbound, right? ;)

I was just talking to a customer about ten minutes ago who identified a new
agobot variant that way.

I would agree that logging denied inbound is good for nothing but wasting
disk space and the occasional chuckle, unless you are interested in helping
people like ISC graph global attack trends.

I think that there are even some commercial systems that do this for a
living, but I don't know very much about them.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Adrian Grigorof: "Re: [fw-wiz] Log checking?"
• In reply to: Paul D. Robertson: "RE: [fw-wiz] Log checking?"
• Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"
• Reply: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]