Re: [fw-wiz] parsing logs ultra-fast inline



Hi, all!

On Mon, Feb 06, 2006 at 05:05:06PM -0500, Anton Chuvakin wrote:

meaning. Take Tina's VPN example - how many types of log entries you would
expect from a VPN concentrator? From my experience, not more than 20 but
let's assume there are 50. Give a sample from each entry to a Perl

He-he, no :-) I just looked at the old documentation bundle of Cisco
VPN 3000 messages and its nowhere near the above. How about 2049
unique messages documented by Cisco?

But 99+% of these messages will probably be of these kinds:

IKE phase 1 completed with peer X
IKE phase 2 completed with peer X, IPSec SA established
RADIUS/CA/XAUTH successful for X
IPSec SA terminated upon request
IPSec SA rekey
IKE SA terminated up request
IKE SA rekey
IPSec SA timeout
IKE SA timeout
IKE phase 1 failed - invalid peer/certificate/PSK/proposal/...

Did I forget anything? Obviously it doesn't matter. Detect, weed
out and store the messages above - they are the routine cases
an not interesting. Or don't store them. Only count their numbers.
A sudden raise of the last one for a single remote IP-Address _is_
interesting.

Flag the remaining <1% for human inspection. Then write parsing rules
for the handfull of distinct messages that comprise 99+% of
these remaining <1%.

I didn't invent the "counting" thing - someone else on this list
once wrote: "The number of times an uninteresting thing occurs
is an interesting thing." I found that worth memorizing ;-)

Kind regards,
Patrick
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Cisco PIX remote VPN mit neuer IP
    ... Die Cisco PIX wurde soweit angepasst das der Zugriff ins Internet aus dem LAN wieder funktioniert. ... Microsoft IPSec Policy Agent service stopped successfully ... Received IOS Vendor ID with unknown capabilities flag 0x000000A5 ... Crypto Active IKE SA, 0 User Authenticated IKE SA in the system ...
    (de.comp.security.firewall)
  • Re: Sonicwall TZ150/170
    ... SonicWall log zum IPSec SA, ... IKE negotiation complete. ... Received Quick Mode Request ... IKE Initiator: ...
    (microsoft.public.de.german.isaserver)
  • Re: Sonicwall TZ150/170
    ... SonicWall log zum IPSec SA, ... IKE negotiation complete. ... Received Quick Mode Request ... IKE Initiator: ...
    (microsoft.public.de.german.isaserver)
  • IPSEC Tunnel Down
    ... ISAKMP: set new node 0 to QM_IDLE ... crypto_engine: Encrypt IKE packet ... ISAKMP::Checking IPSec proposal 1 ...
    (comp.dcom.sys.cisco)
  • [Full-disclosure] Cisco VPN Concentrator IKE resource exhaustion DoS Advisory
    ... Cisco VPN Concentrator IKE resource exhaustion DoS Advisory ... NTA Monitor discovered a denial of service vulnerability in the Cisco VPN 3000 series concentrator products while performing a VPN security test for a customer in July 2005. ... The vulnerability allows an attacker to exhaust the IKE resources on a VPN concentrator by sending a high rate of IKE requests, which will prevent valid clients from connected or re-keying. ...
    (Full-Disclosure)