[fw-wiz] Firewall Log Analysis - Computer vs. Human

From: Adrian Grigorof (adi_at_grigorof.com)
Date: 07/05/05

  • Next message: Marko Jakovljevic: "Re: [fw-wiz] SSH brute force attack"
    To: <firewall-wizards@icsalabs.com>
    Date: Tue, 5 Jul 2005 12:23:15 -0400
    
    

    Hi all,

    We are trying to develop a log analyzer that would "replicate" a human's
    approach to log analysis - by that I mean the fact that a human can
    correlate information in the log with other factors (like - "hmm, the log
    says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
    UPS failure yesterday around noon). For this particular example, the log
    analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
    power failure, power disconnection or manual restart" - a bit vague I agree
    but it is better than nothing - and in fact, this is what the firewall
    admin would go through, right? Thinking, "Why would there be a restart? I
    did not restart it.. anything happened at noon? The UPS failure!". Or for
    example, instead of saying IP 123.123.123.123 was denied for protocol
    TCP/8543 and let the firewall admin worry about it maybe the analyzer should
    do a bit of analysis, check the "history", see that this protocol is not
    something commonly used, it's not one of the common worms and decide to
    report that it is in fact a stray TCP packet caused by Internet latency (TCP
    port higher than 1024, not a "known protocol", coming from an IP address
    that is typically accessed by internal IPs via HTTP - all this information
    is should be obtainable from the logs).

    Now, the question is, what are the things (in your opinion) that only a
    human can do?

    Regards,

    Adrian Grigorof
    www.firegen.com

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marko Jakovljevic: "Re: [fw-wiz] SSH brute force attack"

    Relevant Pages

    • RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human
      ... UPS failure yesterday around noon). ... analyzer could say in the report: "12:03 PM - Firewall restarted - Possible ... "Why would there be a restart? ... do a bit of analysis, check the "history", see that this protocol is not ...
      (Firewall-Wizards)
    • Re: Winsock provider catalog
      ... Problem is with a friend's computer in Romania who tells me the Firewall clicked on or off makes no difference. ... "Windows has detected a problem with the Winsock provider catalog on this ... 'Yes' to reset default config. ... Message to restart. ...
      (microsoft.public.windowsxp.general)
    • Re: the service did not respond in a timely fashion / the service cannot accept control messages at
      ... I seriously doubt it is hardware to be honest. ... I have also semi-isolated the problem to be between the firewall and IIS. ... Remember that IIS is the ONLY service that behaves this way on a restart - ...
      (microsoft.public.inetserver.iis)
    • Re: iptables restart hangs
      ... option set, "iptables restart" will still flush all rules, set default ... wide open for that small time window, enough for a packet or two to pass ... And you can't use "iptables ... to save fw rules before stopping the firewall). ...
      (Fedora)
    • Re: syslog realtime analyzer
      ... > It's $49.95 for your device, but you can try it free first to see if you ... > firewall log analyzer programs out there - Link Logger was just the one ... first I can't create a remote control of log (i can only ...
      (comp.security.firewalls)