There’s been a lot of discussion about the recent stories on parsing firewall logs - Mark’s story at http://isc.sans.org/diary.html?storyid=8293 , Daniel’s story at http://isc.sans.org/diary.html?storyid=8347 , and Kyle’s at http://isc.sans.org/diary.html?storyid=8362 have covered a number of methods and tools for plumbing the depths of your firewall logs.
Needless to say, after this short exploration, we're working on a egress filter for this firewall. The "we trust our users" position not only ignores the fact that even if you trust your users, trusting your users' malware should be part of your business model, but as you can see from this, you can't trust (all of) your users either. You can see from this that using a good Netflow Collector application will give you a great window into the traffic transiting your firewall or router, pretty much as granular as you want to be. We collected all this data in about 10 minutes, running a tutorial for the IT group at the same time. I still use grep, awk and the rest more than I use Netflow, but a good Netflow app can give you nice management style reports, historical queries into your router or firewall data and really granular analysis with almost no time investment. If you're not a "CLI person", Netflow can go a long way towards getting you really deep into your firewall activity. =============== Rob VandenBrink, Metafore ============== |
Rob VandenBrink 579 Posts ISC Handler Mar 10th 2010 |
Thread locked Subscribe |
Mar 10th 2010 1 decade ago |
NetFlow is good. Argus is also a great flow tool as well. Switch it on, on a personal network and set it to capture say 32-bytes of payload.
When you look at your flow data you will see most of the URL of the request, along with the web-servers reply code (and not much more...) You can tweak the 32-byte snaplen value to find your verbosity/disk-space/privacy sweet-spot. This is great for post-exploitation forensics, without burning up too much disk-space. On a shared network however, users need to be made aware of the monitoring, and it should be used ethically. |
Anonymous |
Quote |
Mar 10th 2010 1 decade ago |
Why not use OSSEC hids?
It allows for creating rules once instead of having to grep for them. Also, in more complex environments you'll be able to correlate events... http://www.ossec.net |
Anonymous |
Quote |
Mar 10th 2010 1 decade ago |
True. I think both are useful. The Argus method may just catch something rules may miss (0-day, etc)..
|
Anonymous |
Quote |
Mar 10th 2010 1 decade ago |
Thanks for the post. Scrutinizer (www.plixer.com) is also a great product to collect and analyze NetFlow data. Great for resolving network issues such as the proxy problem you mentioned in the article
|
Anonymous |
Quote |
Mar 10th 2010 1 decade ago |
I'm a newbie to Networking, and setting up a firewall, but I have a Linux firewall in my home network, and all of my network's traffic passes through the Linux router to reach the internet. How would I setup something so that I could collect the kind of data that is mentioned in this article?
I looked into flow-tools for Ubuntu, but I couldn't find any decent information on how to set it up with a single server acting as a router. If you could assist, it would be most appreciated. Thank you in advance -Jeff |
Anonymous |
Quote |
Mar 11th 2010 1 decade ago |
flow-tools is more to receive and process netflow data from a router that might serve as your firewall or upstream router, ntop might be a good way to go for what you have in mind. It's not netflow, but it collects and presents the same type of data in a similar format.
|
Rob VandenBrink 579 Posts ISC Handler |
Quote |
Mar 11th 2010 1 decade ago |
Thanks for the program suggestion, I will look into implementing it.
Thank you -Jeff |
Rob VandenBrink 3 Posts |
Quote |
Mar 11th 2010 1 decade ago |
softlowd ( http://www.mindrot.org/projects/softflowd/ ) is available for linux and BSD, which allows netflow compatible data to be sent from a linux machine to a collector. After working with netflow on our Cisco equipment at work, I installed softflowd (and the nfdump tools) on my home linux router to get some practice.
I'm able to use the same tools to analyze the data. Setup on the collector is no different then if it was coming from a Cisco router. |
Tim 6 Posts |
Quote |
Mar 11th 2010 1 decade ago |
The monitoring side is critical, but you'll probably want to be able to generate some traffic so you can validate your ACLs. One web-based tool is a site called firebind.com. It uses a web-based client on your machine to send TCP packets back and forth to it's server on any of the 65535 TCP Ports of your choosing (or all if you'd like.) You can even use it to validate your monitoring tools.
|
Tim 1 Posts |
Quote |
Mar 11th 2010 1 decade ago |
Great series and I tried Scrutinizer (www.plixer.com) and am very impressed. This really filled the void as my Cisco ASA now supports netflow. It was easy to install and immediately yielded useful data in a simple to navigate GUI.
|
Anonymous |
Quote |
Mar 12th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!