Re: Tools to Analyse Logs in Checkpoint NG

From: yannick'san (yannicksan_at_free.fr)
Date: 05/21/03

  • Next message: Jeff Lane: "Re: Ports 1985 and 1986"
    To: "E P" <enda.purcell@cw.com>, <security-basics@securityfocus.com>
    Date: Wed, 21 May 2003 21:10:02 +0200
    
    

    Is it only for checking security events in FW1 logs ?
    Or will you integrate, later, the logs from other equipements ? (router,
    switch logs,...)
    I say that because if you take an analyse console which is completly written
    for dealing with FW1 logs, ok, this time you won't have to write your own
    script... but later when you will check for security incidents in others
    equipments, you will have different grammars and you will have to write your
    own scripts.... unless you use a second (or a third) analyse console.
    All my logs were concentrate into a SYSLOG server. I did some script in PERL
    to look for security events. Then I inserted the results into the ACID's
    database (Analysis Console for Intrusion Detection). As far as I can
    remember, there are a limited number of "key words" used in FW1.. so I
    rarely had to change the grammars...
    Sorry I used my own scripts.

    Yannick

    ----- Original Message -----
    From: "E P" <enda.purcell@cw.com>
    To: <security-basics@securityfocus.com>
    Sent: Wednesday, May 21, 2003 3:29 PM
    Subject: Tools to Analyse Logs in Checkpoint NG

    >
    >
    > Hi all,
    >
    > I am wondering if anybody has or have come across any scripting tools
    > or good freeware package that can be used to analyse Checkpoint NG
    > Firewall Log files. I'm faced with the task that I have several
    > firewalls
    > that I wish to produce reports on things like attack info from
    > Smartdefence, attacks, usage, top talkers and all that fancy stuff.
    > Hopefully
    > someone may have come across something that could be used or easily
    > modified to perform this rather than having to write my own scripts. I
    > have
    > looked in brief at WebTrends and I don't feel that it is granular
    > enough for what I want
    >
    > thanks
    >
    > --------------------------------------------------------------------------
    -
    > Thinking About Security Training? You Can't Afford Not To!
    >
    > Vigilar's industry leading curriculum includes: Security +, Check Point,
    > Hacking & Assessment, Cisco Security, Wireless Security & more! Register
    Now!
    > --UP TO 30% off classes in select cities--
    > http://www.securityfocus.com/Vigilar-security-basics
    > --------------------------------------------------------------------------

    --
    >
    >
    >
    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!
    Vigilar's industry leading curriculum includes:  Security +, Check Point, 
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities-- 
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------
    

  • Next message: Jeff Lane: "Re: Ports 1985 and 1986"

    Relevant Pages

    • [NEWS] Nokia IPSO Script Injection Vulnerability
      ... Get your security news from a reliable source. ... Nokia Network Voyager is "an SSL-secured, ... After the malicious code is successfully injected into the logs, ...
      (Securiteam)
    • Re: Changes to folder permissions not taking effect on Server 2008
      ... When a user logs on, Windows creates a SID (security identifier) that contains a list of the security groups the user belongs to at that particular moment. ... are only 2 special access folders, on which I turned off 'Include Inherited ... I tried gpupdate on client and server to no avail. ...
      (microsoft.public.security)
    • Re: intrusion?
      ... * watch in the logs ... Good way to improve security is move ssh to high port, ... dumb script kiddies out and avoids cluttering your log files. ...
      (comp.os.linux.security)
    • R: Fwd: Centralizing Event Viewer Logs
      ... workstation event logs all at once you can be alerted. ... If we want to start comparing enterprise products, ... Infrastructure Engineer - Security ... CONFIDENTIALITY NOTICE: This email may contain confidential and ...
      (Focus-Microsoft)
    • Re: Any personal Intrusion Detection Systems
      ... > logs" and could profit from some elaboration. ... > 'security' product from _any_ vendor that addresses all of them. ... you're right on again about clueless "support desk" techs. ... "utility" apps with open ports, etc, that I was aware of. ...
      (comp.security.firewalls)