Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Log analysis and marketing decisions don't mix - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Log analysis and marketing decisions don't mix
As Jim wrote in yesterday's diary, there are several good tools available to check for suspicious patterns in your log files. But every now and then, vendor marketing decisions will throw you a curve ball - like happened to me when we upgraded a Cisco PIX to one of the shiny new "Adaptive Security Appliances (ASA)" from same vendor. Yes it does come with a few new features, but pretty much still looks like a PIX.  Except for one little detail:

Sep 10 08:22:07 raz1-fw Sep 10 08:22:07 %PIX-3-313001: Denied ICMP type=8, code=0 from 67.x.y.z on interface outside
Sep 10 23:45:15 raz1-fw Sep 10 23:45:15 %ASA-3-313001: Denied ICMP type=8, code=0 from 64.x.y.z on interface outside

Anyone spot the difference? At least exchanging %PIX against %ASA in all log filtering regexpes is something that can be done with a script on SEC and its Bleedingsnort rules. But if you are using an off the shelf (closed source) log "correlation" product and happen to upgrade your Cisco Firewall, be wary of the peace and quiet that will set in on your alert screen...


385 Posts
ISC Handler
Sep 11th 2006

Sign Up for Free or Log In to start participating in the conversation!