[Dshield] reporting on firewall logs

shawn reed shwn_rd at yahoo.com
Tue Oct 26 17:07:43 GMT 2004


 

Redhat 9. Using gawk to extract and sort the logs.

On Tue, 2004-10-26 at 10:57, shawn reed wrote:
> I'd like to get some feedback/expertise on the process that I am using for reporting on firewall logs. Would this acurately reflect the profile of traffic through the firewall? 

OS? DShield Client?


>  
> 1. Extract the following fields: date, time, action, protocol, src IP, dst IP, src port, src address.
>  
> 2. Divide log into three categories based on the direction of the traffic: incoming, outgoing, internal. 
> (This is done by using a list of internal IP blocks and pulling out the lines of the log based on the src and dst IP. 
> i.e. 
> src 10.10.1.20, dst external_ip >outgoing.log
> src external_ip, dst 10.10.1.20 >incoming.log
> src 10.10.1.20, dst 10.10.1.50 >internal.log
>  
> 3. Create reports from the three categories of log files: incoming, outgoing, internal.


		
---------------------------------
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.


More information about the list mailing list