Larry Chuon wrote:
>
> We have a FW-1 box who patrol traffics in and out internal, external
> and DMZ networks. All of our web servers locate on the DMZ. Our
> business partners who do advertising for us are somewhere on the
> Internet. When a user click on the ads, the affiliates' server
> record the click. Then the request get send to our web servers. We
> record the request. In reality, the tally should come out to be the
> same for us and our affiliates. However, it's not the case.
Humm. Is it possible someone is coming at your site directly or through
some other link (search engine, etc.)? Obviously this would cause a
discrepancy.
> So, we
> want to do some testing. One way is to review the log file in FW-1.
> We also have WebTrend where we can look into.
>
> Does anybody know of a better way to do the test and comparison? Is
> there a free tool for NT for this kind of job? Please email me
> directly if you could.
I personally prefer to use a database program rather than a Web analysis
tool because it provides a bit more room to develop queries. The is
really the only way you can spot slow/multi-source scans. For example
you can look over 3 months of data to see exactly what a specific source
has been trying to do on your network. It also gives you the ability to
create pretty graphs for management. ;)
I usually do the following:
import delimited format to a common flat file
query out all outbound HTTP, FTP etc. Write to "outbound access" file
query out all source and destination port =25 and write to "mail" file
...continue through the rest of your security policy...
what remains gets written to a "suspicious access" file
So if you now want to print out an HTTP access graph, simply set a few
sort parameters and sum the results. Given your above requirements, you
could sort on HTTP & destination and trend accordingly.
The "suspicious access" file is where things get real interesting. I've
spotted hosts probing IMAP at the rate of 1 host per 7-10 days. This
does not look like a big deal till you combine 3 months worth of data.
;)
Hummm. Maybe one of these days I'll automate the whole thing into some
common app like Access and make the database GPL available.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
