Firewall Activity analysis

["Terry Ziemniak" <tmz () hawk swc com>]

All,

I have been working on firewall activity analysis for Pix firewalls for
a while.  I have written a perl script that parses the log files and
puts all of the data into an Access database.  This allows me to run
queries such as “List all successful TCP connections for everyone who
had more than 1 explicit denied connection”.

This is an explicit (rigid ?) way to flag bad behavior.  However I was
wondering it makes sense (now that all of the data is in a database) to
attempt statistical analysis of this data to flag bad behavior.  

I could look at the HTTP bytes, or number of connections, or time (etc)
and flag source IPs that deviate from the norm by a certain amount.  I
could do this without setting hard limits (such as ‘list the top 1%
incoming HTTP users’) which would limit that amount of IPs flagged as
bad.  Of course this would be applicable to any protocol.

The goal of this is to flag suspicious communications that should be
more thoroughly investigated.

At this point this is a mental exercise but I was wondering if anyone
had any thoughts or opinions on the matter. 
 
PS - This is based on my somewhat tenuous grasp of statistical analysis.

Thanks.

Terry