Re: IDS logs vs FW1 logs

From: Chris Wilkes (cwilkes@ladro.com)
Date: 10/16/01


Date: Tue, 16 Oct 2001 10:09:00 -0700 (PDT)
From: Chris Wilkes <cwilkes@ladro.com>
To: security-basics@securityfocus.com
Subject: Re: IDS logs vs FW1 logs
Message-ID: <Pine.LNX.4.10.10110161005490.30321-100000@cjw.depechecode.com>

On Mon, 15 Oct 2001 themac@iinet.net.au wrote:

> In regards to external connections and access log montitoring, what/would
> there be a reason to monitor your FW logs if you already have an IDS and
> logging in place on that system??

Just a quick off the cuff answer: to make sure both of them are working as
advertised. Also for your own sanity and knowledge about the system. See
how both the programs work and make sure that they are reporting the same
incidents.

It does initially seem that you're doubling your work but after becoming
familiar with both reporting you'll gain more of a knowledge of what's
going on.

What if one of the reporting tools was compromised? You'll be able to see
that with one of the products reporting a breakin while the other is
silent.

What if there is a new hack out? Your firewall might miss it but the IDS
doesn't, or vice versa.

In short: having multiple logs of nearly the same thing is a good thing,
you'll be able to spot irregular events more easily.

Chris



Relevant Pages

  • Processing time and IDS traffic
    ... (forensics, anti-virus, IDS, firewalls, etc.) ... What I did was parse the logs into XML records and arranged them into a nice ... strategically placed IDS system and what people get from a IDS system ... - Automatically Control P2P, IM and Spam Traffic ...
    (Focus-IDS)
  • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
    ... to allow one to use a SQL syntax to select which logs to convert, ... Subject: Random IDS Thoughts ... IntruShield now offers unprecedented Intrusion IntelligenceTM ... Download the latest white paper "Intrusion Prevention: ...
    (Focus-IDS)
  • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
    ... Commodotization of the IDS space, in general: ... by flooding a network with "anomalous" traffic so it eventually gets ... I understand that analysing logs take ... Lousy interface design: Most IDS products or log analyzer products I've ...
    (Focus-IDS)
  • Re: [fw-wiz] Handling large log files
    ... Splunk to manage firewall and switch event logs. ... we used it to alert us to switches reporting an ...  With this volume, logcheck was able to ... effectively parse the files and send out a nice email. ...
    (Firewall-Wizards)
  • Re: new intrusion detection system
    ... Format is more recent attempt at the common xml based ... towards a common reporting format. ... and another IDS Prelude-ids also offers this. ...
    (Focus-IDS)