Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 28th, 2008, 2:11pm
   Mischel Internet Security Forum
   Internet Security
   Firewalls (Moderators: Helena, Gavin_Coe, Magnus)
   Questions regarding FW's Log 		« Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Questions regarding FW's Log  (Read 723 times)
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Questions regarding FW's Log
« on: Oct 22nd, 2003, 2:12pm »		 Quote Quote  Modify Modify
 1) Do  you  read  its  entries  at  least  each  day ?
 
  2) Do  you  analyse  your Log  
   to  determine which "visitors" are the usual ones and stablish  
   a  pattern ?
 
  3) Do  you  try  to  articulate the source, destination , ports and protocols and  
   associate  them to your  rules-set and  known types of attacks ?
 
  4) Your  Log  is  useful indeed  to help  you  creating new rules and understanding the  
   existent ones ?
 
  5) What is the frequency  you  use  the " Whois" and how about its usefulness to you ?
 
  6) Do  you  feel the need of  also use an app like "Ethereal" or "CommView" complementing  
   your  FW   understanding ?
 
 
   - Why  all that  questions ? Because I  know  that  90% of  FW  users never  look at
     their  FW's Logs.They  just  "believe" in their FW and click on any  FW's Message Window
     without really  understanding what does it mean .
     On  the  other  hand  , those  that  start  trying  to use  their Log
     do have  real difficulties and don't know where to learn about  its  usage.
 
     One  easy  example  of  the  problems those 10% users   above  have is  a constant confusion between  
     "noise" and "attacks" . And  some  FWs  designs really  don't  help  with  so  many  
 alarm sounds and/or  blinking lights - when the user's ISP  will look like  the most  terrible  intruder .
 
 
IP Logged
Phant0m``
 Guest

Email
Re: Questions regarding FW's Log
« Reply #1 on: Oct 22nd, 2003, 2:58pm »		 Quote Quote  Modify Modify   Remove Remove
I'd suggest all to take a gander at http://www.wilderssecurity.info/TCP-IP.shtml, learn the basic terms and so forth to help get started!  Wink
IP Logged
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Questions regarding FW's Log
« Reply #2 on: Oct 22nd, 2003, 3:20pm »		 Quote Quote  Modify Modify
    Hello  ,  Phant0m
 
     If  someone  doesn't  know  yet  about  your  Site  I  strongly  suggest  to  visit  it . You don't have to use LnS FW  to  have  good readings overthere.
 
   But  the  problem  persists . Now that   the  use of  software FWs  is  disseminated  among  home users it is odd that  there is  no  book  targeted to that kind of user .
 
  The  learning  curve is unnecessarily hard  because there is not  a  full systematised source to learn the basics and - very important - to implement them .
 
  P.S. : I remember when I've read in the past the book  " Building Internet FirewallS" , O'Reilly & Associates,Inc , 2000
 and  ,  after I've read  its almost 900 pages ,  I   could  
 * apply *  not more than  1%  of the 20% I've understood of the 10% really useful to SOHO users in that  book .
 
.
IP Logged
MadAxe
Senior Member
****





   


Gender: male
 Posts: 319
Re: Questions regarding FW's Log
« Reply #3 on: Oct 22nd, 2003, 4:14pm »		 Quote Quote  Modify Modify
An alarming number of users don't even have a firewall. When I talk to someone from work or a friend and they tell me they have Internet at home, I ask them what FW they run. The usual response; "What's that?". Getting them to run a firewall in the first place is the bigger challenge. The general population of Internet users seem to be unaware of the risks and the ways to protect against them.
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2038
Re: Questions regarding FW's Log
« Reply #4 on: Oct 23rd, 2003, 10:10am »		 Quote Quote  Modify Modify
on Oct 22nd, 2003, 4:14pm, MadAxe wrote:
An alarming number of users don't even have a firewall.

 
Which is why there is room enough for many good firewall applications like LNS , Kerio, 8signs, ZA, and others.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Questions regarding FW's Log
« Reply #5 on: Oct 23rd, 2003, 11:45am »		 Quote Quote  Modify Modify
Of course  I  agree  with  both .And  I  think  you  also  agree with  me  that  a  little  more  knowledge  concerning  FWs will certainly  increase the level of safety of  their users .
 
 The most safe and well designed FW with an excellent  outbound protection will mean nothing if its user doesn't read an outgoing message and just close that "bothering" window  .
  Or  if  the  same  FW  user that also has  a  FW with  an incredible inbound protection  consider any  log  entry  a  massive  black hat  invasion  and  shut down the computer - not kidding , I knew cases like that more than once .
 
   FWs  are  not  like  AVs to use  like  an alnost   set and forget  app - mainly when they do include outbound filtering .
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2038
Re: Questions regarding FW's Log
« Reply #6 on: Oct 23rd, 2003, 4:53pm »		 Quote Quote  Modify Modify
I check my firewall log when there is cause, also my router has a log that I use to match up with my firewall log. I like the way the router handles it though as I can setup the log contents to be emailed to an address when ever it is renewed or accessed.  I caught one address trying to access my log that way.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: Questions regarding FW's Log
« Reply #7 on: Oct 25th, 2003, 8:18pm »		 Quote Quote  Modify Modify
   Just  now  I  remembered  there  is  a  LOG's  FAQ by Robert Graham   :
 
http://www.robertgraham.com/pubs/firewall-seen.html
 
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Questions regarding FW's Log
« Reply #8 on: Oct 25th, 2003, 8:31pm »		 Quote Quote  Modify Modify
Most of the mainstream firewalls have either inbuilt or good TPS analysis software that can help make sense of the mumbo-jumbo that some logs contain. As for 'one book covers all', until all FW vendors decide what they are going to call the various events, as a group, then the examples are still going to be based on the mainstream FWs. Not a reason that would prevent publication, but maybe a reason why the smaller producers will continue to struggle. It's a pretty strong hook if any book bundles a CD and your own firewall software is on it - not many users will stray from the (un)officially recommended software if that's what O'Reilly or Que say they would like run, just to make sure the screenshots match up.
 
Personally, at home, I run ZAF with ZoneLog analyser as the 'front-line' item (Sygate PF behind it). On occasions, the logfile is sent to DShield.
IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register