Hi Crispin,
I think you also need to clearly define when you want to be alerted to
these incidents in your request.
For example, do you want a report done daily, or do you want real-time
intrusion detection?
If the latter, take a look at:
http://www.checkpoint.com/products/firewall-1/realsecure.html
Thats one IDS system, there are many cheaper alternatives i'm sure,
allthough i havent had any experience with them personally (well, apart
from Snort :-)).
Lance Spitzner has an excellent white paper regarding a simple intrusion
detection method you can configure to give you real-time notifications on
your Firewall-1.
His whitepaper can be found at:
http://www.enteract.com/~lspitz/intrusion.html
Hope this helps some.
Chris.
At 02:42 PM 6/6/00 +0800, you wrote:
>Greetings,
> I am looking for _security_ focussed FW-1 log analysis tool.
>
>In particular, I am looking for a tool which highlights the security incidents
>from a firewall-1 log, I dont care about bandwidth utilisation, web site hits,
>top X sources/destinations (except where this might indicate a scan/hack
>attempt.)
>
>I am specifically looking for something that lets me focus on the Security
>incidents in the log (as (initially) shown by Scans). I have other logs that
>show me attempts against Bind, Syslog, SMTP etc, but the tools for Firewall-1
>seem to be focussed towards Mgmt & accounting, not security.
>
>I am hoping that someone has a perl script that they already use for this...
>
>Please note: I am currently receiving over 1,500,000 lines of (already
>abridged)
>logs each day, with an additional 5-10 million lines to come each day as
>soon as
>I get the log filter working correctly. This number will just grow over time,
>and I would not be surprised to be receiving 50-80 million lines per day
>within
>12 months!
>
>If anyone wants some of the details of a suggested implementation, I have
>listed
>them below
>
>Regards,
> Crispin Harris
>__________________________________________________
>Security Technical Specialist, [EMAIL PROTECTED]
>CSC Australia 2 Mill St, Perth, WA, 6000
>Ph: +61(0)8 9429-6478 Mobile: 0413-629-298 Fax: +61 (0)8 9481-1332
>
>P.S.
>I have looked at WebTrends and TeleMate.NET and while both these tools provide
>good management reports, they are basically useless for detecting network
>scans
>etc.
>
>P.P.S
>I have previously modified a copy of 'fwlogsum.pl' (By Peter Sundstrom
><[EMAIL PROTECTED]>), and customised it to a particular environment,
>however,
>I am not a programmer, and I really do not have the time to spend programming
>something like this from scratch.
>
>
>==========================
>A Suggested implementation
>==========================
>I have been thinking about the specifics of my report, and this is the
>sorts of
>stuff I want:
>
> - see each source which has more than "low_water" number of destinations
>(host:port).
> - If the host:port was hit more than once, I want to know the number of
> times,
>the first and the last times.
> - Because there could be "num_srcs * 16384 * 65535 * num_tries" entries
> in the
>log, I only want the first 'LOG_LIMIT' number of dest:port pairs kept.
> - I want to be able to provide an exclude list: <Src[,Dst[:port]] |
>[Src,]Dst[:port]> (i.e. Source and or Dest (with optional port) can be
>excluded)
>
>==========================
>Pseudo-Code
>==========================
>(This pseudo-code is a bastardised mixture of Shell Script, perl, Java & C,
>sorry about any confusion that may arise)
>
>for each (Src) {
> if ( ! grep "Src DstPort.dest.Src" Exclude_list) {
> # This "Src Dst:Port" is not excluded
> if ( num_dst.Src > low_water_mark ) {
> # We
> print Src, "Total LogEntries: ", count.Src;
> for each (dest.Src) {
> print "\t", DstPort.dst.Src, first.dst.Src (count.dst.Src > 1 ?
>count.dst.Src, last.dst.Src \n : \n);
>} } } }
>
>==========================
>Object Definition
>==========================
>(If I was writing in Java I would do something similar to this:
>Object Src {
> String[20] name;
> IPAddress address;
> int num_dsts;
> long count;
> DstList[LOG_LIMIT] dst; /* Very UGLY - but this does illustrate what I
>want */
>}
>Object DstList {
> String[20] name;
> String[20] DstPort;
> int count;
> Time first, last;
>}
>
>
>During the collection phase, I would limit the number of separate dst.Src
>entries collected to (aproximately 1000)
>
>
>
>Computer Sciences Corporation
>This email is confidential. If you are not the intended recipient,
>you must not disclose or use the information contained in it.
>If you have received this mail in error, please tell us
>immediately by return email and delete the document.
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Chris Keladis
System/Security Administrator
Custom Management Centre
Cable & Wireless Optus.
Phone: (02) 9775-5312
Mobile: (0402) 067-375
E-Mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
