Theres been a lot of discussion about the recent stories on parsing firewall logs - Marks story at http://isc.sans.org/diary.html?storyid=8293 , Daniels story at http://isc.sans.org/diary.html?storyid=8347 , and Kyles at http://isc.sans.org/diary.html?storyid=8362 have covered a number of methods and tools for plumbing the depths of your firewall logs. In these stories, its been stressed that theres gold in them there logs! Reviewing your logs is legally required under several regulatory frameworks, and just plain makes sense reviewing inbound and outbound traffic is an excellent way to find stuff being sent or received that shouldnt be happening, finding malware or finding violations of ...

Comments (2)

1. Jake Wilson says:

   March 10, 2010 at 2:14 pm

   Hello Rob,

   Great outline. I got some great ideas from this, especially the anonymous proxy. I’ll have to play with that in our NetFlow Analyzer.

   I wish you had some screen captures. Let me know if you want a free copy of Scrutinizer.

   Jake
2. Jessica says:

   March 10, 2010 at 3:12 pm

   Thanks for the informative article. NetFlow is a great tool to use for solving Network abuse issues. There are a lot of really good analyzer tools out there. I’d recommend giving Scrutinizer (www.plixer.com) a try for an affordable solution that is designed specifically for tracking NetFlow.