[FW1] Re: [fw1-wizards] why and what do I need to analyze the firewall log?

[Jason Costomiris <jcostom@FW1-NOSPAMjasons.org>]

On Tue, May 15, 2001 at 08:56:39PM -0400, Ivan Fox wrote:
: A dumb question:
: 
: why do I need to analyse my firewall log? what should I look for?
: 
: is it to find out:
: who use what (service) to get where?
:  a. top users by bandwidth utilization (as security guy, who do I care?)
:  b. outgoing protocol usage (same)
:  c. incoming protocol usage (same)
:  d. top ftp, telnet, web, etc. users
: who "attack" our network?
: who do want during business hours? (productivity issue?)
: critical events for internal IP addresses?
: warnings for external IP addresses?

Yes, all of these.

As for the "what", there are a variety of log analysis tools, some that use
LEA and automagically create pretty reports, others that require you to do
a manual log export and let perl chew on the result for a bit.  Check out
Phoneboy's site, as well as Lance Spitzner's for some tools.

-- 
Jason Costomiris <><           |  Technologist, geek, human.
jcostom {at} jasons {dot} org  |  http://www.jasons.org/ 
          Quidquid latine dictum sit, altum viditur.
                    My account, My opinions.


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================