Re: Pix info - audit info and logging and general

From: fingers (fingers@fingers.co.za)
Date: Wed Nov 28 2001 - 11:39:03 EST


Hi Travis

> Not sure what you're looking for exactly here ... the PIX is only going to
> log a certain amount of info about anything. If you want info about what
> a.b.c.d did to ip e.f.g.h, and it's going over something that's allowed in
> your ACLs, you'd need close to debug level logging ...
>
> I'm logging informational on a couple of pixen, and get things like:
> 304001: xxx.xxx.xxx.xx Accessed URL
> xxx.xxx.xxx.xx:/GMES/get.html?target=GMR&z=136037049

kewl thanks. I think I've found what I'm looking for (level6) I just
didn't have my syslogd configured correctly.

> in specific reference to log analysis, I've not found anything useful on CCO
> (no, I don't use firewall manager, as I don't run NT)

didn't even know it existed :P

> I've been looking at several of the tools at
> http://www.counterpane.com/log-analysis.html and many of them are capable
> of grinding PIX logs and creating audit-style information. However,
> depending on the level of detail you're looking for, it might be easier to
> put a box running snort outside your firewall and grab all the packets on
> the wire for further analysis.

kewl, I'll take a look at it. I did find something to turn pix-style
syslogs into snort-formatted logs, which I can then use things like
snortsnarf and the like with. The url should be
http://cs.calvin.edu/~mpost89/pixlog/.

Thanks to all who responded privately aswell.

Regards

--Rob



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:24 EDT