Re: [fw-wiz] Log checking?

From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 10/01/04

  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Thu, 30 Sep 2004 19:21:33 -0500 (CDT)
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, 30 Sep 2004, Paul D. Robertson wrote:

    > On Thu, 30 Sep 2004, Mark Tinberg wrote:
    >
    >>> I've always felt that worrying about denied traffic was mostly for sport-
    >>> if the firewall's policy blocked it, I wasn't all that worried about much
    >>> more than overall trends- what got *through* the firewall seemed to be the
    >>> more interesting set of things.
    >>
    >> I'd agree that this is true for traffic denied incoming from the big, bad
    >> Internet but not true for traffic denied from within your organization.
    >
    > So, my direct experience leads me to conclude that the biggest problems
    > I've seen have all been from the allowed vector- and the organizations
    > which were hit were all looking only at the denied traffic. In every
    > case, we checked firewall logs, and I don't recall that ever bringing any
    > value for places that logged only blocked traffic.

    I spoke badly previously and do not disagree with you. I merely wanted to
    point out that deny logs are not entirely valueless, I did not want to
    imply that they are more valuable than accept logs or that one should view
    them in preference to accept logs.

    I do find though that accept logs are much more tricky to get valuable
    information out of. An individual firewall might have tens or hundreds of
    thousands of log lines per day may of which are only packet filter logs.
    It's much easier to look at the deny logs, point and say "Look at all this
    bad stuff we are detecting/blocking", esp. when you can send the staff off
    to fix various broken machines that they otherwise wouldn't know about.

    - --
    Mark Tinberg <MTinberg@securepipe.com>
    Staff Engineer, SecurePipe Inc.
    Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    Comment: For info see http://quantumlab.net/pine_privacy_guard/

    iD8DBQFBXKMPFu7F5OUjbGcRAj++AKCAI4SJD0l5mzi15mvus/T6nQ1nKQCgvPpk
    OjwkAQWwv6kVsZ79Ms0Qx/w=
    =frm2
    -----END PGP SIGNATURE-----
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "RE: [fw-wiz] Log checking?"

    Relevant Pages

    • Re: Strange WAN Activity
      ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
      (microsoft.public.win2000.security)
    • Re: Winvnc hack! [25 KB]
      ... came in from a service such as IIS that logs IP address. ... Check your IIS ... Some firewall software such as ... You can also use the NETSTAT -A command that comes with Windows to look at ...
      (microsoft.public.win2000.security)
    • RE: [fw-wiz] Log checking?
      ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ...
      (Firewall-Wizards)
    • Re: false portscan alarm
      ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...
      (comp.security.firewalls)
    • Re: SOHO firewall dropping incoming 443 connections - incorrect state
      ... I take it this sample snip of your logs is from a single session? ... client host connecting to the firewall was a single host. ... because of the nature of HTTPS requests it uses a different ephemeral ...
      (comp.security.firewalls)