RE: Data Mining for PIX Firewall Logs

From: Jerry Shenk (jshenk_at_decommunications.com)
Date: 02/10/05

  • Next message: Brewis, Mark: "RE: VoIP" 
    To: <pen-test@securityfocus.com>, <carey.heck@gmail.com>
Date: Thu, 10 Feb 2005 07:05:08 -0500

    Export the logs to text-only and then use grep to select what you want.
    I do all my syslogging to linux boxes. The PIX gives you a TON of
    information and it's very consistent so selecting what you want using
    regular expressions will work great.

    -----Original Message-----
    From: Carey Heck [mailto:carey.heck@gmail.com]
    Sent: Wednesday, February 09, 2005 5:09 PM
    To: pen-test@securityfocus.com; bugtraq@securityfocus.com
    Subject: Data Mining for PIX Firewall Logs

    Hi folks. I love the ability in the Checkpoint firewall logging
    applet that allows me to load up any former saved log file, and filter
    according to any criteria I set.

    Lets use an example:

    I want to show an auditor what exactly went through my firewall,
    to/from a specific DMZ host, between the hours of 1 and 3pm GMT, on
    July 8th, 2003.

    In checkpoint, if I had correctly configured my ruleset, and archived
    my log files properly, I could provide this answer within 30 minutes.

    Fast forward to my current company, which went with a Cisco PIX
    solution based on the up front cost. I can log all the connections to
    my heart content, but boy mining the data to help show what happened
    in my above example has been tiresome at best.

    Can anyone here please suggest to me some type of logging and more
    relevantly, a data mining product that can help me achieve this end?

    Currently I am logging all my PIX traffic to a host running Kiwi
    syslog daemon, which archives each days logs into a separate folder in
    the dated logs directory, creating a new directory named for each date
    in the year.

    I am looking for a less clunky solution.

    Any help is GREATLY appreciated.

    Thanks! 

    -- 
Carey
  • Next message: Brewis, Mark: "RE: VoIP"

    Relevant Pages

    • Re: [fw-wiz] Appropriate PIX logging level
      ... Pix logs is highly compressible - a 100 MB log can be compressed to a 7-8 MB ... appropriate level of logging on a Cisco PIX firewall. ... interface, src/dst IP, src/dst port, proto, allow/deny, rule applied ...
      (Firewall-Wizards)
    • RE: Data Mining for PIX Firewall Logs
      ... Data Mining for PIX Firewall Logs ... Fast forward to my current company, which went with a Cisco PIX ... Can anyone here please suggest to me some type of logging and more ...
      (Pen-Test)
    • RE: [fw-wiz] pix firewall - failover and logging issues
      ... I have enabled logging level 7 on my PIX, ... I have not seen any performance degradation on the firewall side and my logs average about 300 MB a day! ... The first one is directed to failover users. ...
      (Firewall-Wizards)
    • Re: Windows Update error: 0x80072EE7
      ... After a brainwave i had a look at the logs from our pix and found: ... UDP DNS reply from Outside ... >> HI, I'm running Windows 2003 Server and each time I do the Windows update, I ...
      (microsoft.public.windowsupdate)
    • Re: [Full-Disclosure] PIX vs CheckPoint
      ... >My question is PIX or Checkpoint what is better and why. ... On FW-1, you must define rules to protect against illegal access while Pix ... Pix logs with much more details than FW-1. ... At the NAT level, you have to know Pix is a NATing box and everything it ...
      (Full-Disclosure)
    • Quantcast