Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
Brought to you by:
eychenne
Menu
▾
▴
Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting
|
From: <fd...@ms...> - 2003-05-07 19:35:01
|
> As you know, a serious security policy is "allow a few connections, > drop all the rest", and it doesn't make much sense to log what is > accepted (at least at the filter level). > So... of course you can use values provided by a firewalling tool for > accounting, but if it's not for firewalled (understand blocked) > connections, it's generally a bad idea. I do understand your point of view, but the question who is consuming all of your bandwidth is security related, too. Furthermore, ip accounting could help spotting weak filtering rules. As the firewall is (should) be the central place where all traffic arrives it is an ideal location for collecting traffic data. Convinced? Friedhelm ----- Original Message ----- From: "Herve Eychenne" <rv...@wa...> To: "Friedhelm Düsterhöft" <fd...@ms...> Cc: <wal...@li...> Sent: Wednesday, May 07, 2003 8:51 PM Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > On Wed, May 07, 2003 at 08:54:20PM +0200, Friedhelm Düsterhöft wrote: > > Hi, > > > Well, really a huuuge list. To get out the most with the least effort I > > would suggest to start > > with PIX-6-302014 and PIX-6-302016 messages. This would allow for an > > accounting of > > TCP and UDP bytes of legitimate connections. > > You know, wflogs was not designed to be an accounting tool, but for > the moment it gathers information about filtered (or non-filtered) > connections. > As you know, a serious security policy is "allow a few connections, > drop all the rest", and it doesn't make much sense to log what is > accepted (at least at the filter level). > So... of course you can use values provided by a firewalling tool for > accounting, but if it's not for firewalled (understand blocked) > connections, it's generally a bad idea. > > So messages like number 106010 (and equivalents) seem much more > important to me in the first place. > > Herve > > -- > _ > (°= Hervé Eychenne > //) > v_/_ WallFire project: http://www.wallfire.org/ > > > > ----- Original Message ----- > > From: "Hervé Eychenne" <rv...@wa...> > > To: "Friedhelm Duesterhoeft" <fd...@ms...> > > Cc: <wal...@li...> > > Sent: Monday, April 28, 2003 8:07 PM > > Subject: Re: [Wallfire-users] Using wflogs/cisco_pix for ip accounting > > > > > On Sun, Apr 27, 2003 at 11:31:44PM +0200, Friedhelm Duesterhoeft wrote: > > > > > > Hi, > > > > > > > thanx for your reply. Please find attached some sample logs (only PIX-6 > > > > lines). I think the sample should include all sorts - at least all I'm > > > > interested in at the moment ;-). At at first view there are not too many > > > > variations so I hope it's not very hard for you to build the regexps > > > > required. > > > > > > > It would be nice if you could include pix info level parsing in one of > > the > > > > next releases. Wflogs rocks - thanks alot for your efforts! > > > > > > Please have a look at > > > > > http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63sysl > > og/pixemsgs.htm > > > > > > As you can see, one can spend some time sorting out meaningful messages > > > for wflogs... :-/ > > > Friedhelm, if you (or someone else) want to gather all error messages > > > that should be treated by wflogs, I would be glad to do the parsing as > > > quickly as possible. > > > > > > Hervé > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Wallfire-users mailing list > Wal...@li... > https://lists.sourceforge.net/lists/listinfo/wallfire-users |
