Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Monitoring firewall logs, what to do about what you find?

Status
Not open for further replies.
packdragon

packdragon

IS-IT--Management
Jan 21, 2003
459
US
I am taking over the duties of monitoring the log files our firewall spits out. Unfortunately the guy before me didn't tell me exactly what I need to do. I'm staring at these logs, but what do I do about what I find?

Ok here's an example. This morning I'm working and all of a sudden I get like 5 log files emailed at once. The vast majority say "IP spoof detected", and come from the same 3 IP addresses. Looks like an attack to me. Pings to the IP addresses time out. What do I do about it?? What's the best next step?

 
Sort by date Sort by votes
That largely depends on how your firewall reacted to the threat when it logged it.

If the firewall blocked the spoof and logged it, you're okay. If the firewall's ruleset set it through and logged it, you have bigger problems. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
I doubt our previous sysadmin, who was very good at his job, would have configured the ruleset to allow in IP Spoofs. What would be the purpose of that?

But anyway, what are the things I should be looking out for? Logs that indicate someone was let in? I see a few entries that say "Accepting IPSec Proposal". What does that mean?
 
Upvote 0 Downvote
packdragon:

No offense to you or your predecessor, but "I doubt...would have configured" definately fall under the category "Famous Last Words". You now administer a firewall: by definition, a certain amount of paranoia is in order. Do not assume the state of your firewall ruleset -- confirm the state of your firewall ruleset.

I honestly can't tell you what to look for, except in the most extremely general sense. I don't know the topology and use of your network, nor how your firewall rules support that topology and use. So my answer can only be: Do you see anything in the logs that might indicate a use of the network in a way that is counter to the way you know it should be used?

The "Accepting IPSec Proposal" sounds to me like the initialization of a road-warrior VPN connection. Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
I would be looking for trends and who is doing the attacking. It is a little easier if you have something that does that like ACID with snort. There are also products to help you manage the firewall logs. NETIQ firewall suite for example. AKA Intrusion Detection System.

Craig

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
730
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
617
Johnkite
Johnkite
GeorgeAlba
  • Locked
  • Question
What do you think about this proxy
Replies
0
Views
184
GeorgeAlba
GeorgeAlba
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
201
hairlessupportmonkey
hairlessupportmonkey
LonnieJohnson
  • Locked
  • Question
Monitoring incoming threats
Replies
2
Views
124
LonnieJohnson
LonnieJohnson

Part and Inventory Search

Sponsor

Back
Top