Last Updated: 2010-02-24 00:46:10 UTC
by Mark Hofman (Version: 1)
As part of our operational processes there is typically a line item stating "Review Firewall Logs". This is a requirement in many different standards and most people will have it down as a task to do. However we all know that there are way more interesting things to do rather than looking at log files. Unless you have some nice tools, it is one task that soon sends junior mad.
In trying to save Junior's sanity and basically because I am one of those people that actually likes looking at logs (I know, I have no life) I was going through some firewall logs. They never disappoint. There are the usual port scans happening for various ports:
18.104.22.168 13845 aaa.bbb.ccc.0 22 TCP
22.214.171.124 13845 aaa.bbb.ccc.6 22 TCP
126.96.36.199 13845 aaa.bbb.ccc.21 22 TCP
188.8.131.52 13845 aaa.bbb.ccc.12 22 TCP
184.108.40.206 13845 aaa.bbb.ccc.20 22 TCP
220.127.116.11 13845 aaa.bbb.ccc.10 22 TCP
18.104.22.168 13845 aaa.bbb.ccc.41 22 TCP
The usual hits on ports 135/137/139/445/1433/1434/25 can be found in the log file and there are the at the moment plenty of hits on 3306 for MySQL. A more unusual port to be hit was UDP 7 and TCP 249. UDP 7 was associated with some checks from a University (http://isc.sans.org/diary.html?storyid=4660), but I have yet to confirm this is the case here. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 I'd be interested in seeing them. There were also a number of high ports being hit, after chasing these down, in this environment, they were associated with torrent and Skype traffic.
It is also interesting to check the outbound traffic. Having a look to see what is trying to leave the network can also be enlightening. Torrent traffic seems to be fairly prevalent in the the logs I'm looking at, alas all it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly. The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird". If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall. Many attacks will try and sneak through, if you log all traffic you may be able to identify it.
When junior starts to shake and make strange noises that indicate the removal of all sharp objects from the office is needed, take a walk through your logs and get a feel for the "street" as it were. I can guarantee you will learn something. It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed. You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the grep man page and go nuts.