Re: Data Mining for PIX Firewall Logs
From: jkowall (jkowall_at_shocking.net)
Date: 02/10/05
- Previous message: Tim: "Re: Mapping Class A network ( any easy trick?)"
- In reply to: Carey Heck: "Data Mining for PIX Firewall Logs"
- Next in thread: Jerry Shenk: "RE: Data Mining for PIX Firewall Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Feb 2005 21:47:33 -0500 To: Carey Heck <carey.heck@gmail.com>
First you will have to log the data via syslog. I reccomend kiwi syslog
daemon for windows. The pro version is cheap and it can do compression,
rotation, and filtering. It can also do email based alerting.
Syslog-ng for*NIX is by far the most extensable and advanced daemon for
*NIX.
Now that you have the files, I would reccomend the following products:
http://www.sawmill.net/
Sawmill not only processes PIX easily, but it can also process anything
from sendmail, to IIS logs. Its a great tool. Well priced, and
processes hundreds and hundreds of different logfiles.
http://www.surfstats.com/sla_pro.asp
Decent product, haven't used it much
http://www.softland.com.ar/info/eiqnetworks/firewallan/submain.htm
Expensive last time I looked, never used it.
http://tud.at/programm/fwanalog/
Free logfile processor, the reports are pretty basic.
http://perlmonks.thepen.com/123707.html
Script to monitor a log and page/email.
http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=21&MMN_position=21:21
Never used this one/
There are a couple other ones too, but these are some of the main ones.
good luck, email with any additional questions.
-jk
Carey Heck wrote:
>Hi folks. I love the ability in the Checkpoint firewall logging
>applet that allows me to load up any former saved log file, and filter
>according to any criteria I set.
>
>Lets use an example:
>
>I want to show an auditor what exactly went through my firewall,
>to/from a specific DMZ host, between the hours of 1 and 3pm GMT, on
>July 8th, 2003.
>
>In checkpoint, if I had correctly configured my ruleset, and archived
>my log files properly, I could provide this answer within 30 minutes.
>
>Fast forward to my current company, which went with a Cisco PIX
>solution based on the up front cost. I can log all the connections to
>my heart content, but boy mining the data to help show what happened
>in my above example has been tiresome at best.
>
>Can anyone here please suggest to me some type of logging and more
>relevantly, a data mining product that can help me achieve this end?
>
>Currently I am logging all my PIX traffic to a host running Kiwi
>syslog daemon, which archives each days logs into a separate folder in
>the dated logs directory, creating a new directory named for each date
>in the year.
>
>I am looking for a less clunky solution.
>
>Any help is GREATLY appreciated.
>
>Thanks!
>
>
>
- Previous message: Tim: "Re: Mapping Class A network ( any easy trick?)"
- In reply to: Carey Heck: "Data Mining for PIX Firewall Logs"
- Next in thread: Jerry Shenk: "RE: Data Mining for PIX Firewall Logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
