Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: FW-1 log analysis tool

Re: FW-1 log analysis tool

From: Kenneth Ish <slushie_at_GTE.NET>
Date: Sun, 11 Jun 2000 11:52:08 -0500

What version are you using? 3.0b, 4.0, or CP2000. CP2000 has this ability
built in (it is in the latest release). It's called the CPMAD which is the
Check Point Malicious Activity Detector. It can monitor the logs for a
particular behavior and number of conection attempts (IE, if you see 4
attempts to connect to port 135, drop all packets from that IP for the next
hour, permanently, whatever).

You should bother your Sales Rep for information on it.

Also, there is the CADS software (Cyber Attack Defense System). It can do
all kinds of system montoring and control. It will also control not only
your firewalls, it will even automatically block and attacker at an upstream
router for DDOS attacks depending on how you configure it.
Here is the Check Point Link for that one:
http://www.checkpoint.com/cyberdefense/index.html

There may be more information available but I do not know where it would be.

Good luck!

Kenneth Ish

----- Original Message -----
From: "Chew Poh Chang (CAPL)" <pcchew_at_CSAH.COM>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Thursday, June 08, 2000 8:27 PM
Subject: FW-1 log analysis tool

> Greetings ,
> I am looking for a FW-1 log analysis tool.
>
> In particular, I am looking for a tool which highlights the security
> incidents from a firewall-1 log, I dont care about bandwidth utilisation,
> web site hits, top X sources/destinations (except where this might
indicate
> a scan/hack attempt.)
>
> I am specifically looking for something that lets me focus on the Security
> incidents in the log (as (initially) shown by Scans). I have other logs
> that show me attempts against Bind, Syslog, SMTP etc, but the tools for
> Firewall-1 seem to be focussed towards Mgmt & accounting, not security.
>
> I am hoping that someone has a perl script that they already use for
this...
>
> Please note: I am currently receiving over 1,500,000 lines of (already
> abridged) logs each day, with an additional 5-10 million lines to come
each
> day as soon as I get the log filter working correctly. This number will
> just grow over time, and I would not be surprised to be receiving 50-80
> million lines per day within 12 months!
>
>
> Regards,
> Chew Poh Chang
Received on Jun 12 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos