RE: [fw-wiz] Firewall Log Analysis - Computer vs. Human

From: Paul Melson (
Date: 07/11/05

  • Next message: Orca: "RE: [fw-wiz] Discretionary WiFi Access"
    To: "'Adrian Grigorof'" <>, <>
    Date: Mon, 11 Jul 2005 11:52:54 -0400

    Only a human can be pissed when his or her pager goes off at 3am. :-) The
    rest of the "analysis" of any specific conditions or cases can be done with
    software because it's based on static or logical conditions. For that
    matter, it should be done with software.

    Log analysis is a loathesome job if you slog through the same junk day in
    and day out. It's also pretty easy to get blinded to subtle anomalies when
    you are drowning in logs. Therefore, it makes the most sense to me to use
    software to reduce the 'noise' or at least convert it into useful
    information (like event counts, event count deltas, event count averages
    over time, etc.). The end result should be that any human performing log
    analysis should only be looking at individual events that are specifically
    identified as significant or are not identified as being insignificant - the
    former requiring some sort of action, and the latter requiring at least some
    form of additional investigation.


    -----Original Message-----
    We are trying to develop a log analyzer that would "replicate" a human's
    approach to log analysis - by that I mean the fact that a human can
    correlate information in the log with other factors (like - "hmm, the log
    says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
    UPS failure yesterday around noon). For this particular example, the log
    analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
    power failure, power disconnection or manual restart" - a bit vague I agree
    but it is better than nothing - and in fact, this is what the firewall
    admin would go through, right? Thinking, "Why would there be a restart? I
    did not restart it.. anything happened at noon? The UPS failure!". Or for
    example, instead of saying IP was denied for protocol
    TCP/8543 and let the firewall admin worry about it maybe the analyzer should
    do a bit of analysis, check the "history", see that this protocol is not
    something commonly used, it's not one of the common worms and decide to
    report that it is in fact a stray TCP packet caused by Internet latency (TCP
    port higher than 1024, not a "known protocol", coming from an IP address
    that is typically accessed by internal IPs via HTTP - all this information
    is should be obtainable from the logs).

    Now, the question is, what are the things (in your opinion) that only a
    human can do?

    firewall-wizards mailing list

  • Next message: Orca: "RE: [fw-wiz] Discretionary WiFi Access"

    Relevant Pages

    • [fw-wiz] UNSUBSCRIBE
      ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ...
    • Re: [fw-wiz] Secure Computing Sidewinder?
      ... We are moving off Sidewinder G2 solely because of the price. ... There are many different approaches to designing a firewall, ... thorough than most other "application proxy" firewalls, ... packet, tear it apart, inspects it, and then depending on the protocol it ...
    • Re: Natted IP
      ... > useful if one trys to tunnel an exploit of one protocol inside a second ... but the router "firewall" will block all unsolicited packets unles they are ... If you send some kind of tunneled packet wrapped inside, ... > run only with JS enabled with Java applets disabled. ...
    • Re: status code 97
      ... If an IBM site make zero changes to COBOL to handle file status "97" ... Having gone through VSE to MVS conversion many years ago, I remember being hit by this as well, although it seems like it seems like in our case it didn't hit until we changed to some flavor of COBOL II on MVS. ... There is no exposure with treating a "97" as a failure and terminating the program, employing your usual problem diagnostic procedures including a VERIFY, and then restarting. ... We found that the main confusion from the programmer's/maintainer's standpoint is that the documentation says that the problem was automatically resolved, which implies that a job restart would always work. ...
    • Firewall that blocks NetBEUI etc.
      ... Personal firewall functionality is mostly oriented toward TCP/IP protocol. ... I have NT4WKS and we have advanced Microsoft network - they have some tool ... I have tried to audit them with netstat or TCPview to see all network ...