[Dshield] reporting on firewall logs

David Cary Hart DavidHart at TQMcube.com
Tue Oct 26 16:48:56 GMT 2004


On Tue, 2004-10-26 at 10:57, shawn reed wrote:
> I'd like to get some feedback/expertise on the process that I am using for reporting on firewall logs. Would this acurately reflect the profile of traffic through the firewall? 

OS? DShield Client?
>  
> 1. Extract the following fields: date, time, action, protocol, src IP, dst IP, src port, src address.
>  
> 2. Divide log into three categories based on the direction of the traffic: incoming, outgoing, internal. 
> (This is done by using a list of internal IP blocks and pulling out the lines of the log based on the src and dst IP. 
> i.e. 
> src 10.10.1.20, dst external_ip >outgoing.log
> src external_ip, dst 10.10.1.20 >incoming.log
> src 10.10.1.20, dst 10.10.1.50 >internal.log
>  
> 3. Create reports from the three categories of log files: incoming, outgoing, internal.
> 
> 		
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
                            David Cary Hart
                                                         Hart's PGP key:
            http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x58A60BB1





More information about the list mailing list