RE: [fw-wiz] Log checking?

From: Ben Nagy (ben_at_iagu.net)
Date: 09/29/04

  • Next message: Rodel Collado Urani: "RE: [fw-wiz] Log checking?"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 29 Sep 2004 11:58:13 +0200
    
    

    I think there is some mileage to be had in logging the volume of denied
    outbound traffic over time. Spikes in things like IRC, HTTP to funny ports,
    TFTP etc can be great indicators of infection with various kinds of malware.
    And of course all that stuff would already be blocked outbound, right? ;)

    I was just talking to a customer about ten minutes ago who identified a new
    agobot variant that way.

    I would agree that logging denied inbound is good for nothing but wasting
    disk space and the occasional chuckle, unless you are interested in helping
    people like ISC graph global attack trends.

    I think that there are even some commercial systems that do this for a
    living, but I don't know very much about them.

    Cheers,

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Rodel Collado Urani: "RE: [fw-wiz] Log checking?"