Re: Firewall log analysis

From: Brad (wouldn't_at_youliketoknow.com)
Date: 06/12/04

  • Next message: Alec: "Re: Passing DHCP through a Hotbrick" 
    Date: Sat, 12 Jun 2004 04:11:39 GMT

    While it doesn't offer all the features you ask for, you can get some
    nice log analysis in linklogger. (www.linklogger.com)

    Brad

    On Sat, 12 Jun 2004 12:06:02 +1000, JC <jhoppyc@westnet.com.invalid>
    wrote:

    >Hi,
    >
    >I have a Sonicwall firewall which sends me a log each morning via email. I paste the log into Excel, save it then sort on source URL. An example
    >of log entries showing the important parts is below:-
    >
    > Date & Time Result Source URL
    >2004/06/11 09:07:15.224 UDP packet dropped - Source:218.217.9.187, 5984, WAN
    >2004/06/11 09:39:36.496 ICMP packet dropped - Source:219.133.44.17, 8, WAN
    >2004/06/11 10:27:02.544 UDP packet dropped - Source:204.85.210.188, 31916, WAN
    >2004/06/11 10:28:08.304 TCP connection dropped - Source:203.129.200.7, 1511, WAN
    >
    >I get 80-100 entries per day, which isn't many I know, but over a month this adds up to about 2,500+ entries which take a while to go through. What
    >I am looking for is patterns of probes which I then report to abuse@x.y.z asking for the probes to be stopped. To get to the abuse@x.y.z address I
    >look up the details on www.dnsstuff.com. Doing this multiple times each day can be tedious and it is not immediately obvious that, for example,
    >source URLs 66.139.x.y and 69.44.x.y are all connected to the same ISP.
    >
    >How do you deal with the firewall logs?
    >
    >What would be useful would be a program that will read the log file, preferably in XLS format, and spit out a summary along the lines of ISP Name,
    >Abuse email address, Source URL, Date & Time sorted on ISP name, Source URL and Date & Time if multiple entries are detected. Does such a program
    >exist?
    >
    >TIA.

  • Next message: Alec: "Re: Passing DHCP through a Hotbrick"