This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall/packetfiter logfiles for cybersecurity purposes

Right now I am doing research to make the logfiles, that are generated by the UTM-firewall, useful to detect the network of malicious threats. I have the logfile below:

2018:03:15-10:03:27 BDUUTM-1 ulogd[905]: id="2000" severity="info" sys="SecureNet" sub="packetfilter" name="Packet logged" action="log" fwrule="62017" initf="eth1" srcmac="f0:f7:55:ca:80:3a" dstmac="00:1a:8c:f0:30:a1" srcip="64.233.173.159" dstip="87.251.46.138" proto="6" length="60" tos="0x00" prec="0x00" ttl="40" srcport="38679" dstport="80" tcpflags="SYN"

Now is my first question, what does the following logs mean?: ulogd[905]:, id="2000", severity="info", sys="SecureNet", sub="packetfilter", name="Packet logged", action="log", fwrule="62017", tos="0x00", prec="0x00".

My second question is, which data can be useful to detect the network of malicious threats?

Kind regards,

Edward

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 6 years ago

Several thoughts:

1) UTM is for detecting and preventing unwanted traffic. Logs are your quality control mechanism to see if your configuration is achieving your goals.

2) The goal is to allow all essential traffic, block all dangerous traffic, and use unnecessary-but-harmless traffic as the boundary area where some is blocked and some is allowed.

3) There is no master definition of host traffic, so all block/allow decisions are heuristics (guesses).

I suggest that most organizations are willing to block a lot of optional traffic to avoid one infection.

4) Each UTM module blocks various types of suspected threats. For the most protection, use all of them.

5). Firewall rules only process traffic that is not handled by another proxy. You want to scan multiple logs for the whole picture.

See my post about "Optimizing web proxy" in this forum for ideas about partitioning your data across multiple logs to maximize usability.

See my post about UTM architecture in the wiki for general information. ctually, read all of the will.

See my post about using SQL for log analysis, to get log data into a form that you can wuery

Then start looking at what happens. If I block country X, does anything break? (Probably) Does it matter? (Maybe not.). Why is that PC talking to that server? (Probably a special application, but it is worth checking.)

Keep experimenting
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 DouglasFoster over 6 years ago

Several thoughts:

1) UTM is for detecting and preventing unwanted traffic. Logs are your quality control mechanism to see if your configuration is achieving your goals.

2) The goal is to allow all essential traffic, block all dangerous traffic, and use unnecessary-but-harmless traffic as the boundary area where some is blocked and some is allowed.

3) There is no master definition of host traffic, so all block/allow decisions are heuristics (guesses).

I suggest that most organizations are willing to block a lot of optional traffic to avoid one infection.

4) Each UTM module blocks various types of suspected threats. For the most protection, use all of them.

5). Firewall rules only process traffic that is not handled by another proxy. You want to scan multiple logs for the whole picture.

See my post about "Optimizing web proxy" in this forum for ideas about partitioning your data across multiple logs to maximize usability.

See my post about UTM architecture in the wiki for general information. ctually, read all of the will.

See my post about using SQL for log analysis, to get log data into a form that you can wuery

Then start looking at what happens. If I block country X, does anything break? (Probably) Does it matter? (Maybe not.). Why is that PC talking to that server? (Probably a special application, but it is worth checking.)

Keep experimenting
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data