Re: [fw-wiz] Pix 535 Logging

-----Original Message-----
Subject: [fw-wiz] Pix 535 Logging

We're currently getting a lot of CERT notifications for spammers operating
within our network - mainly
just students with 0wned machines, but we're looking into ways to automate
the procedure slightly.

Anyway, what I'm looking to do, and what I need help with.... I want to
know if it's possible to log all
outbound port 25 connection attempts, EXCEPT those that come from our
authorised MX's and mail servers.
AND I would like to be able to do this in addition to the normal logging
that takes place.

So, is it possible?

Any thoughts and guidance you can provide are very much appreciated.

James,

It's definitely possible.

Ideally, you would want to log all firewall traffic and then use a log
parser/analyzer to isolate and report on this traffic. But if I had to
guess, I'd say that the daily firewall log for a residential university like
Sunderland would be in the tens of gigabytes if not the hundreds, so you're
probably not doing this on a whim.

So my recommendation would be to use access-list with log level directives.
Something like:

access-list permit tcp any any 25 log level 3

These access-lists should be placed before the 'permit ip any any' rule or
any other very general permit rule that might match and *after* the rules
that allow traffic to/from your authorized mail servers. The logging level
you set the access-list to should be the same or less than the general
logging trap level you have set in your config.

The advantage to this approach is it makes it easy to enable/disable logging
of this specific traffic but it also makes it easy to move from logging this
traffic to blocking this traffic if you decide to go that direction.

PaulM





_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: fine grain logging cotrol
    ... statement is in and one other factor like a log level. ... def Siamese_cat: ... I was planning on using logging. ... the getLogger creates a logging channel so there is one channel per class? ...
    (comp.lang.python)
  • Re: log4j and log file lock?
    ... Few sources even acknowledge the importance of logging, though nearly every professional programmer practices it. ... In normal production scenarios there should be relatively few log messages, so stress on the socket should be low. ... Even INFO messages should be sparse - verbosity is for DEBUG. ... If you've cranked up your log level to DEBUG, it's because you've got bigger concerns than a little blocking. ...
    (comp.lang.java.programmer)
  • Re: [PATCH,RFC,resend] printk: restore previous console_loglevel when re-enabling logging
    ... This means that if the kernel was booted with 'quiet', ... suddenly no longer quiet after logging to console gets re-enabled. ... If the log level is set to a specific value ... this is interpreted as an implicit re-enabling of ...
    (Linux-Kernel)
  • create a log level for python logging module
    ... I am trying to create a log level called userinfo for the python ... I read the source code and tried to register the level to the ... logging namespace with the following source: ...
    (comp.lang.python)
  • [fw-wiz] PIX VPN Logging question
    ... I am doing some firewall cleanup for a small company that is using PIXes ... I am working to get the Internet logging to a syslog server, ... In order to stop the cryptomap access-lists from logging I have tried ... no logging message 305012 ...
    (Firewall-Wizards)