From: Todd Towles (toddtowles@brookshires.com)
Date: Fri Feb 11 2005 - 10:23:57 EST
Php-Syslog-ng worked pretty well, when I tested it. Think about using
Stunnel also for moving the logs across the network in a secure channel.
> -----Original Message-----
> From: jkowall [mailto:jkowall@shocking.net]
> Sent: Wednesday, February 09, 2005 8:48 PM
> To: Carey Heck
> Cc: pen-test@securityfocus.com; bugtraq@securityfocus.com
> Subject: Re: Data Mining for PIX Firewall Logs
>
> First you will have to log the data via syslog. I reccomend
> kiwi syslog daemon for windows. The pro version is cheap and
> it can do compression, rotation, and filtering. It can also
> do email based alerting.
> Syslog-ng for*NIX is by far the most extensable and advanced
> daemon for *NIX.
>
> Now that you have the files, I would reccomend the following products:
>
> http://www.sawmill.net/
> Sawmill not only processes PIX easily, but it can also
> process anything from sendmail, to IIS logs. Its a great
> tool. Well priced, and processes hundreds and hundreds of
> different logfiles.
>
> http://www.surfstats.com/sla_pro.asp
> Decent product, haven't used it much
>
> http://www.softland.com.ar/info/eiqnetworks/firewallan/submain.htm
> Expensive last time I looked, never used it.
>
> http://tud.at/programm/fwanalog/
> Free logfile processor, the reports are pretty basic.
>
> http://perlmonks.thepen.com/123707.html
> Script to monitor a log and page/email.
>
> http://www.itefix.no/phpws/index.php?module=pagemaster&PAGE_us
> er_op=view_page&PAGE_id=21&MMN_position=21:21
> Never used this one/
>
> There are a couple other ones too, but these are some of the
> main ones.
>
> good luck, email with any additional questions.
>
> -jk
>
>
> Carey Heck wrote:
>
> >Hi folks. I love the ability in the Checkpoint firewall
> logging applet
> >that allows me to load up any former saved log file, and filter
> >according to any criteria I set.
> >
> >Lets use an example:
> >
> >I want to show an auditor what exactly went through my firewall,
> >to/from a specific DMZ host, between the hours of 1 and 3pm GMT, on
> >July 8th, 2003.
> >
> >In checkpoint, if I had correctly configured my ruleset, and
> archived
> >my log files properly, I could provide this answer within 30 minutes.
> >
> >Fast forward to my current company, which went with a Cisco PIX
> >solution based on the up front cost. I can log all the
> connections to
> >my heart content, but boy mining the data to help show what
> happened in
> >my above example has been tiresome at best.
> >
> >Can anyone here please suggest to me some type of logging and more
> >relevantly, a data mining product that can help me achieve this end?
> >
> >Currently I am logging all my PIX traffic to a host running
> Kiwi syslog
> >daemon, which archives each days logs into a separate folder in the
> >dated logs directory, creating a new directory named for
> each date in
> >the year.
> >
> >I am looking for a less clunky solution.
> >
> >Any help is GREATLY appreciated.
> >
> >Thanks!
> >
> >
> >
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT