Firewalls and Logging

Discussion in 'other firewalls' started by CrazyM, Nov 6, 2005.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Now what can you do with all these logs?
    As has already been suggested there are analysis utilities available for some firewalls for those that want to have a closer at what is going on.

    For those that may want to do something about all the events listed in their logs, consider submitting them to a place like DShield who gather logs from all those participating and forward abuse reports based on these totals which is more effective than individual users trying to report on their own to their ISP or other ISP's. They accept logs in a variety of formats and also have utilities you can use for doing this.

    Another consideration if you are going to be submitting logs is the accuracy of the time stamp. Most routers/hardware devices will have the ability to sync with time servers. How many of you using software firewalls use the Windows time service or other time utility to keep your system clock accurate?

    Regards,

    CrazyM
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    If they were after you specifically they would have to know your IP. Undersirables looking for vulnerable systems may scan a wide range of IP's looking for compromised or vulnerable systems. The results of those broad scans would determine which IP's they may have a second look at. So for those that are properly firewalled, these scans are harmless.

    Regards,

    CrazyM
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thanks, that's clear now.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Firewall logging with look-up and traceroute functionality.

    Some firewalls will have the ability to do who-is/rdns look-ups and traceroute on IP's in the event logs. While this can be handy and a good marketing tool when "x" marks the bad guy on the world map with the visual traceroute, there are a couple of things for users to be aware of.

    When you do a rdns (reverse dns look-up) on an IP, if it does not resolve to a name, Windows by default will resort to a netbios name look-up, which means contacting the IP to do this. If your firewall/router is misconfigured and permits outbound netbios, you will now be querrying this IP and potentially showing up in their logs. Keep this in mind as well if you have the option to resolve addresses automatically in the logs. The same applies when doing a traceroute, it means your system pinging the IP and announcing your presence/interest. So much for stealth if that is a concern for you.

    Something to be aware of if you are performing these types of look-ups from your own system. There are online resouces available for these querries so you do not have to worry about your IP showing up somewhere you did not intend it to. One example being: DNSstuff.com.

    Whois lookups can also be done directly at:
    ARIN WHOIS Database Search
    Internic Whois Search
    RIPE Whois Search
    APNIC Whois Search
    LACNIC Whois Search

    Regards,

    CrazyM
     
    Last edited: Nov 13, 2005
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.