Firewalls and Logging

Now what can you do with all these logs?
As has already been suggested there are analysis utilities available for some firewalls for those that want to have a closer at what is going on.

For those that may want to do something about all the events listed in their logs, consider submitting them to a place like DShield who gather logs from all those participating and forward abuse reports based on these totals which is more effective than individual users trying to report on their own to their ISP or other ISP's. They accept logs in a variety of formats and also have utilities you can use for doing this.

Another consideration if you are going to be submitting logs is the accuracy of the time stamp. Most routers/hardware devices will have the ability to sync with time servers. How many of you using software firewalls use the Windows time service or other time utility to keep your system clock accurate?

Regards,

CrazyM

 

If they were after you specifically they would have to know your IP. Undersirables looking for vulnerable systems may scan a wide range of IP's looking for compromised or vulnerable systems. The results of those broad scans would determine which IP's they may have a second look at. So for those that are properly firewalled, these scans are harmless.

Regards,

CrazyM

 

Thanks, that's clear now.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Firewall logging with look-up and traceroute functionality.

Some firewalls will have the ability to do who-is/rdns look-ups and traceroute on IP's in the event logs. While this can be handy and a good marketing tool when "x" marks the bad guy on the world map with the visual traceroute, there are a couple of things for users to be aware of.

When you do a rdns (reverse dns look-up) on an IP, if it does not resolve to a name, Windows by default will resort to a netbios name look-up, which means contacting the IP to do this. If your firewall/router is misconfigured and permits outbound netbios, you will now be querrying this IP and potentially showing up in their logs. Keep this in mind as well if you have the option to resolve addresses automatically in the logs. The same applies when doing a traceroute, it means your system pinging the IP and announcing your presence/interest. So much for stealth if that is a concern for you.

Something to be aware of if you are performing these types of look-ups from your own system. There are online resouces available for these querries so you do not have to worry about your IP showing up somewhere you did not intend it to. One example being: DNSstuff.com.

Whois lookups can also be done directly at:
ARIN WHOIS Database Search
Internic Whois Search
RIPE Whois Search
APNIC Whois Search
LACNIC Whois Search

Regards,

CrazyM