RE: Firewall Activity analysis

From: Matthew F. Caldwell (mattc@guarded.net)
Date: 12/11/02

  • Next message: Raistlin: "Re: Crossover Error Rate (WAS "Intrusion Prevention")"
    Date: Wed, 11 Dec 2002 15:02:33 -0500
    From: "Matthew F. Caldwell" <mattc@guarded.net>
    To: "Terry Ziemniak" <tmz@hawk.swc.com>, <focus-ids@securityfocus.com>
    

    In general, to make our time more effective we all must do this type of analysis, since we all know that it is becoming increasingly difficult to read logs on a daily basis. In other words it's hard to read gigs of log data each day and not all of us have teams of people reading logs. I commend you for writing the Perl program and developing your query tool in access.

    It makes perfect sense; some vendors are doing this now in an attempt to maximize the effectiveness of their security personnel (including my company). If I may, suggest something a little more robust than Access (file size restrictions etc). Not only firewall data, but why not multiple types of data. These could be entered into the system. It's all about how the system parses and understands the data submitted. For example, how your script would possibly understand the bytes in the payload (http) is a function of parsing that statistic.
       
    I don't think man or machine can make an accurate decision based purely on the number of bytes in a packet thusly the need for more information. For example, you know you have an animal in a box, the animal breaths and weighs 15 pounds, fur is coming out of the box, but you still don't know if it's a black cat (hat) or your loving lab puppy. I also, think this should be left to the IDS/IPS to perform these functions aka "peek into the packet".

    I enjoyed your comment on "List all successful TCP connections for everyone who had more than 1 explicit denied connection". Building more or less what's called event chaining or what some vendors are calling "event correlation". Linking events seems to be a very good way of reducing false positives, however it's not an end all be all to discovering new attacks/attackers. Anomaly detection via statistical analysis would be an effective method for discovering these new attacks.

    Matthew F. Caldwell, CISSP
    Chief Security Officer
    Guarded Net, Inc. "The home of neuSECURE"
    www.guarded.net
    em:mattc@guarded.net

    -----Original Message-----
    From: Terry Ziemniak [mailto:tmz@hawk.swc.com]
    Sent: Wednesday, December 11, 2002 11:00 AM
    To: focus-ids@securityfocus.com
    Subject: Firewall Activity analysis

    All,

    I have been working on firewall activity analysis for Pix firewalls for
    a while. I have written a perl script that parses the log files and
    puts all of the data into an Access database. This allows me to run
    queries such as "List all successful TCP connections for everyone who
    had more than 1 explicit denied connection".

    This is an explicit (rigid ?) way to flag bad behavior. However I was
    wondering it makes sense (now that all of the data is in a database) to
    attempt statistical analysis of this data to flag bad behavior.

    I could look at the HTTP bytes, or number of connections, or time (etc)
    and flag source IPs that deviate from the norm by a certain amount. I
    could do this without setting hard limits (such as 'list the top 1%
    incoming HTTP users') which would limit that amount of IPs flagged as
    bad. Of course this would be applicable to any protocol.

    The goal of this is to flag suspicious communications that should be
    more thoroughly investigated.

    At this point this is a mental exercise but I was wondering if anyone
    had any thoughts or opinions on the matter.
     
    PS - This is based on my somewhat tenuous grasp of statistical analysis.

    Thanks.

    Terry