Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What is your firewall log telling you - responses - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is your firewall log telling you - responses

Responses to our earlier diary entries regarding firewall log parsing (story1 and story2) have been trickling in. 

Reader Matthias has some small awk/shell scripts for parsing iptables log files that he shared here: http://sister-shadow.de/hotlink/isc/log-scripts.tar.gz

And reader Christian recommends using Prelude LML (log monitor lackey): http://www.prelude-technologies.com/en/welcome/index.html

Update #1: An anonymous reader also suggests http://www.loganalysis.org/ .

-Kyle Haugsness

Kyle

112 Posts
I use FWAnalog http://tud.at/programm/fwanalog/
Its a branch off Analog for system log Analysis.

Though there is some stuff missing like Destination Port stats...this gives me a visual of whats going on.

Checking out some of the suggestions above definitely.

Jeff
HackDefendr

65 Posts
Another really nifty trick is to exclude (grep -v) your permit/deny entries in the logs and the remaining logs can show some interesting info. In the case of an ASA, exclude built/teardowns/accept/denies, shows interfaces going up/down, inspection proxy exceptions, among other things. A very useful search..
Anonymous

Sign Up for Free or Log In to start participating in the conversation!