Browse Prior Art Database

Firewall log analysis

IP.com Disclosure Number: IPCOM000016340D
Original Publication Date: 2002-Nov-10
Included in the Prior Art Database: 2003-Jun-21
Document File: 2 page(s) / 40K

Publishing Venue

IBM

Abstract

Problem : A firewall connected to the Internet is subject to attacks/scans. These attacks will be recorded by the firewall in its logs. The discovery of these attacks can be done by RTIDS (Real-Time Intrusion Detection Systems) or by manual review of the firewall logs.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 1 of 2

Firewall log analysis

Problem : A firewall connected to the Internet is subject to attacks/scans. These attacks will be recorded by the firewall in its logs. The discovery of these attacks can be done by RTIDS (Real-Time Intrusion Detection Systems) or by manual review of the firewall logs.

Both methods have there disadvantages or inconveniences : - RTID systems are often not justifiable for low-risk types of Internet connections. Also some type of attacks are created to avoid detection by RTIDS. - Manual review of the firewall logs is also labor intensive : on a single day, a firewall log can contains thousands of network packets being denied. The bulk of packets would be rather harmless but finding the 3 packets that are a real threat would be a cumbersome operation. When environment consists of multiple heterogeneous firewalls the complexity of the problem increases when searching for attacks addressing multiple firewalls.

Solution :

A method is disclose that addresses above problem and can be implemented using simple tools such text processing systems or spreadsheets. Disclosed method is also independent of firewall brand and can be applied in a heterogeneous firewall environment. The Firewall logs are converted to a common representation. After conversion, by performing sort operations, it is easy to identify type of attacks, attackers and targets of attacks.

Technical details :

Solution consists of three modules : a conversion module, a sort module and an interpretation module.

    Conversion module : When a network packet is blocked on a firewall, an log...