[Dshield] reporting on firewall logs

shawn reed shwn_rd at yahoo.com
Tue Oct 26 14:57:18 GMT 2004

I'd like to get some feedback/expertise on the process that I am using for reporting on firewall logs. Would this acurately reflect the profile of traffic through the firewall? 
1. Extract the following fields: date, time, action, protocol, src IP, dst IP, src port, src address.
2. Divide log into three categories based on the direction of the traffic: incoming, outgoing, internal. 
(This is done by using a list of internal IP blocks and pulling out the lines of the log based on the src and dst IP. 
src, dst external_ip >outgoing.log
src external_ip, dst >incoming.log
src, dst >internal.log
3. Create reports from the three categories of log files: incoming, outgoing, internal.

Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

More information about the list mailing list