Analyzing Cisco Pix firewall logs with FireGen Log Analyzer - A firewall administrator diary
Send your comments!

All the notes on this page are derived from our daily analysis of our Cisco Pix firewall logs using FireGen for Pix Log Analyzer, Version 2.0. To cross-reference the report sections mentioned in these articles, see the sample report. As a demo, you may send us one of your logs, and we will analyze it with FireGen and send you back the report along with a short analysis from our consultants.

April 16, 2004
The "Email (SMTP) - Top outbound connections" indicated a number of connections made from our Exchange server to one of our public IP addresses (used to Port Address Translation). This means that one internal user was connection to the public IP of the Exchange server.

April 14, 2004
In the "Security Level 4 (Warnings) of today's report we found that several internal IP addresses were reported as being denied by the firewall to reach the Domain Controller (also an internal machine, on the same subnet) on port TCP/139 (netbios). Normally, such requests should not reach the firewall. The only explanation was that they sent a broadcast looking for the IP address of the DC. Since the time reported was about the same, we can deduct that at that time, the DC was not responding to direct requests, this causing the broadcast.
We mentioned a couple of days ago about IPs from our ISP getting infected with various worms. The ISP was usually quick in shutting down the offending hosts but it seems that they've lost the battle as the "Denied IP Addresses" section is showing more and more denied connections from IP addresses belonging to clients from our ISP.

April 13, 2004
One quick way to see if there was something "really" unusual in the firewall log is to examine the "Message types distribution" section and notice the total number of messages types. This number should not vary too much from one day to another. If it does, then something "different" happened that day. For example, our firewall records 15 or 16 types of messages - one day we noticed 17 types and a quick look at them revealed that one of us connected to the firewall (and firewall logged additional syslog messages). Of course, making changes in the firewall may affect the types of messages that get recorded. Another similar indicator is the size of the analyzed logs. A variation of 10-15% is normal but something more than 50% should trigger a more detailed investigation. Still, a good firewall administrator will go over the logs even if the "seem" to be normal. One of the dangers of checking logs on regular basis is that it may become a boring activity and less attention is paid to details. In time, some may even stop checking the logs. There is no "cure" for this situation but being aware of it may help attenuate the effect.

Pix Analysis Archives:
April 2 - April 6 2004
March 29 - March 31 2004
March 25 - March 26 2004
March 20 - March 23 2004
March 12 - March 19 2004
March 8 - March 11 2004
   

Featured Links GFI EventsManager - Network-wide event log management - Download free 30-day trial! Free Online Event Scanner - Scan your pc for high security events with GFI's free online service. EventID.Net Subscription - So much information for so little!

Legal - EventID.Net © 2001-2008 Altair Technologies Ltd., All rights reserved - Sign up for our Email Newsletter