[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <420ACB45.9010000@shocking.net>
Date: Wed, 09 Feb 2005 21:47:33 -0500
From: jkowall <jkowall@...cking.net>
To: Carey Heck <carey.heck@...il.com>
Cc: pen-test@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: Data Mining for PIX Firewall Logs
First you will have to log the data via syslog. I reccomend kiwi syslog
daemon for windows. The pro version is cheap and it can do compression,
rotation, and filtering. It can also do email based alerting.
Syslog-ng for*NIX is by far the most extensable and advanced daemon for
*NIX.
Now that you have the files, I would reccomend the following products:
http://www.sawmill.net/
Sawmill not only processes PIX easily, but it can also process anything
from sendmail, to IIS logs. Its a great tool. Well priced, and
processes hundreds and hundreds of different logfiles.
http://www.surfstats.com/sla_pro.asp
Decent product, haven't used it much
http://www.softland.com.ar/info/eiqnetworks/firewallan/submain.htm
Expensive last time I looked, never used it.
http://tud.at/programm/fwanalog/
Free logfile processor, the reports are pretty basic.
http://perlmonks.thepen.com/123707.html
Script to monitor a log and page/email.
http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=21&MMN_position=21:21
Never used this one/
There are a couple other ones too, but these are some of the main ones.
good luck, email with any additional questions.
-jk
Carey Heck wrote:
>Hi folks. I love the ability in the Checkpoint firewall logging
>applet that allows me to load up any former saved log file, and filter
>according to any criteria I set.
>
>Lets use an example:
>
>I want to show an auditor what exactly went through my firewall,
>to/from a specific DMZ host, between the hours of 1 and 3pm GMT, on
>July 8th, 2003.
>
>In checkpoint, if I had correctly configured my ruleset, and archived
>my log files properly, I could provide this answer within 30 minutes.
>
>Fast forward to my current company, which went with a Cisco PIX
>solution based on the up front cost. I can log all the connections to
>my heart content, but boy mining the data to help show what happened
>in my above example has been tiresome at best.
>
>Can anyone here please suggest to me some type of logging and more
>relevantly, a data mining product that can help me achieve this end?
>
>Currently I am logging all my PIX traffic to a host running Kiwi
>syslog daemon, which archives each days logs into a separate folder in
>the dated logs directory, creating a new directory named for each date
>in the year.
>
>I am looking for a less clunky solution.
>
>Any help is GREATLY appreciated.
>
>Thanks!
>
>
>
Powered by blists - more mailing lists