[Dshield] reporting on firewall logs

David Cary Hart DavidHart at TQMcube.com
Tue Oct 26 16:48:56 GMT 2004

On Tue, 2004-10-26 at 10:57, shawn reed wrote:
> I'd like to get some feedback/expertise on the process that I am using for reporting on firewall logs. Would this acurately reflect the profile of traffic through the firewall? 

OS? DShield Client?
> 1. Extract the following fields: date, time, action, protocol, src IP, dst IP, src port, src address.
> 2. Divide log into three categories based on the direction of the traffic: incoming, outgoing, internal. 
> (This is done by using a list of internal IP blocks and pulling out the lines of the log based on the src and dst IP. 
> i.e. 
> src, dst external_ip >outgoing.log
> src external_ip, dst >incoming.log
> src, dst >internal.log
> 3. Create reports from the three categories of log files: incoming, outgoing, internal.
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> _______________________________________________
> DShield and the Internet Storm Center are sponsored by the SANS Institute.
> To learn more about current SANS training, see http://www.sans.org .
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
                            David Cary Hart
                                                         Hart's PGP key:

More information about the list mailing list