Bill Royds wrote:
>
> One easy way to DoS some firewalls is to flood their log files
> with messages until the partition fills up and the firewall
> either fails open or quits.
... which is why syslogging to a remote box is a very good idea.
(Preferably through a separate interface to an administrative network)
> Most of the summary programs that do exist (Webtrends is one) are
> more oriented to usage accounting than security analysis.
> Swatch has some features but doesn't handle all the logfile formats.
I agree completely here, although I must say that the reason probably
has something to do with every organization needing to handle its
log messages according to policy, not just by default mailing the
admin every time some kiddie rips of a trojan scan against the whole
public /24. Writing a "pre-packaged" log analyzer that is still
flexible enough to allow for local policy variations isn't really
my idea of fun.
awk is your friend :)
--
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 �RNSK�LDSVIK, Sweden
Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
"Senex semper diu dormit"
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
