[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] FW-1 log Auditing
Hi Ivan, One method we have used is to import a comma delimited text export of the firewall log into an Access database. This way, you can easily write queries to quickly identify major problems by sorting by source address (to identify large attacks or problem networks), destination port (to see what services are being attacked on your network), etc. The possibilities are endless; its proven to be quite flexible. When you refer to IDS's for FW-1, are you talking about products that run on top of FW-1? If so, I believe ISS makes a version of RealSecure which will do just that. I wouldn't recommend it simply on an architecture viewpoint (better to separate the two services), I have no experience with the product itself. If that's not a requirement, check out Snort (http://www.snort.org/). It performed nicely in our test environment _on Linux_. Lot's of problems with Win2k and WinCap on high-volume networks. Lock-ups, GPF's, etc. If you're going to seriously look at Snort, test it on a Unix box. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education VoiceE-mail [email protected] Web http://www.kde.state.ky.us/ > -----Original Message----- > From: Ivan More [mailto:[email protected]] > Sent: Tuesday, March 27, 2001 10:39 PM > To: [email protected] > Subject: [FW1] FW-1 log Auditing > > > > Hi, > > I have a few questions regarding Firewall: > > 1. I am wondering how you Firewall Security > Administrator deals with the Firewall log everyday? Do > you have any software to recommend to audit FW-1(ver > 4.0) logs? Hope you could share your audit method. > > 2. Could you also recommend a good IDS to use with > FW-1? > > > Thanks in advance for your suggestions, > Ivan More > > _______________________________________________________ > Do You Yahoo!? > Get your free @yahoo.ca address at http://mail.yahoo.ca > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|