Firewall / IDP log review

msaalim used Ask the Experts™
I just started as a security admin. I would like to know what are the things I should focus when reviewing  firewall and IDP log files. We have juniper firewall and IDP devices. Any documentation / guidlines anyone can recommend.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You should be looking for hosts that are accessing resources they aren't supposed to. IDP allows you to set different severity levels to certain entries and you should set up alarms and/or email, pager notifications for these. You'll see hundreds of entries from your IDS logs and you probably wouldn't have the time to go through all of these. Hence, only go through the ones that have occurred more than 20-30 times. Ignore the ones that have fewer than 5-10 entries. Now when you see an entry, check to see if it's coming from a single source. You can point out virus infections, trojans, spyware and a lot of other stuff with IDP. It also gives you descriptions of different signatures and if it doesn't, Juniper's knowledge base should. I often see firewall/IDP discussions here

Hope this helps
Top Expert 2006
Typical behaviours to watch for would be things such as smtp traffic coming from non-mail servers outbound , high numbers of connections in a short period of time , inbound connections to services that should not exist on the host.

One of the best things would be to learn your environment and what is the norm. Ie Server x has RDP , Windows Services and FTP , Server Y only has www services .  

Before scanning your logs (unless you're looking for specific traffic) you want to baseline, as described above. Consider also setting up a network monitoring tool to give you a more visual representation of your traffic -- MRTG or Nagios/NagVis etc
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!


How would I know if a system has been compromised?

a host-level IDP, such as tripwire; alternately if the traffic from it is not what it should be -- http to or from a box whose only purpose is mail, for example -- is also a give-away.
This comes with months or practice, and I would recommend this approach:

1. Identify all the servers on your environment
2. Most of the servers generate false positives (windows file share access etc), so once you know the server and the ports they are using, you can safely ignore alerts related to them.  Be careful to ignore specific alerts only and not all alerts.
3.  Look at alerts trigerred with external IPs as destinations.  This would give you an idea of P2P, Chat. You can also look at HTTP traffic to identify people listening to music, playing vidoes or machines infected with spywares etc.  This come with practice as windows updates also generates excessive http traffic.  But as you report these events, you will learn.
4. Look at alerts from internal IP addresses to identify and see if any servers have been missed or if there are security holes like clear text password files, use of insecure ports,  remote regisrty access.  All this should be administration activity or machines compromised with trojans etc.
5. Look at alerts from DMZ hosts and follow 3 and 4.
6. Also set thresholds for TCP. HTTP, FTP traffic and tune signature to fire when that thresholds are exceeded by a certain percentage.  This is helpful for identifying reconaissance and DoS attacks.

With this approach you easly identify infections, violations and misconfiurations.

I would also recomemnd (if affordable) the use of a SIM tool wich correlated IDS and Firewall logs and presents a single console for alerts from different security devices.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial