If set up correctly your Firewall logs will tell you what is most important about your network, your employees, any trojans or viruses that are running in your network, etc.
How do we do that in a way that can effectively make a safer network?
SANS.org has a great pdf document that discusses this topic and more: http://www.sans.org/reading-room/whitepapers/firewalls/firewall-logs-811
check out Kitploit.com as well (a copy of a sample is here):
In every packet of traffic connections between your internal and external machines (which hopefully your firewall sits inbetween) 4 pieces of information should be logged:
- Source IP address
- Source port
- destination IP address
- destination port
So what and why are we really looking for?
We are looking for trojan and malware activity.
So how do we do that?
There are several lists of lots of trojans:
Even though this is an old list, old attacks come back to us, and we need to plug those holes.
http://www.jlathamsite.com/dslr/suspectports.htm
just a couple of interesting ones
| 109 | Possible ADM worm Attacks |
| 24 | Possible Back Orifice 2000 (BO2K) Control Port, Back Orifice 2000, BO2K Attacks |
The key is to allow only what is known for sure.
And disallow everything else.
Deny all has to be in there after everything is listed.
Log traffic that gets denied. that is the key.
Also rotate the logs daily.
Retain for 30 days on the system.
Archive the older logs for a year.
Unless for legal reasons, trash the logs older than a year(contact your compliance officer – Attorney for clarification)
Log unsuccessful logins
Outbound activity from internal servers.
Source routed packets. http://www.comptechdoc.org/independent/networking/terms/source-routing.
http://oversitesentry.com/contact-us/