Home page logo

basics logo Security Basics mailing list archives

Re: Logs from Firewall NetScreen
From: krymson () gmail com
Date: Tue, 6 Sep 2011 21:04:10 GMT

I would say you want to enable as much as you can, and then start watching the logs as they come in. 

There are 2 broad scenarios for SIEM collection:

1) Log gathering and archiving
In this, you want to look at any logs coming in and ask yourself, "Will I ever need to see these entries as part of an 
investigation or forensics question?" If not, discard them. Log management has done this task for quite some time and 
it's pretty clear.

2) Event alarming (SIEM)
In this, you want to ask yourself, "When this log entry comes through my SIEM as an event, will it ever be something I 
need to look at to reveal an incident?"

SIEM still generates way too many false positive events. Do you want to watch log entries that hit your DENY rules? Not 
usually, but sometimes, sure! A SIEM is poor in making many detailed distinctions like that.

You can even argue that there's nothing you really want to see off your firewall other than failed administrative 
logins, reboots, successful administrative logins, and commands issued. ALarming on anything else will incur 
administrative overhead and your time.

Everything else can just be archived per scenario #1 above.

<- snip ->
I'm wonder if someone knows what are the options of logs that should be activated in the syslogs of firewall netscreen, 
in my case, we have the next log settings:
- Emergency -> Activated
- Alert -> Activated
- Critical -> Activated
- Error -> Activated
- Warning -> Deactivated
- Notification -> Deactivated
- Information -> Deactivated
- Debugging -> Deactivated

But i'do not know if they are the best practices, i would think to keep activated just Emergency, Alert, Critical and 
Notification but i'm not sure; or the other option is to activate all...
The problem with the last is that there's too much information that my SIEM received and don't know if every event is 
important to monitor...
I hope someone could help me...

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]