As Jim wrote in yesterday's diary, there are several good tools available to check for suspicious patterns in your log files. But every now and then, vendor marketing decisions will throw you a curve ball - like happened to me when we upgraded a Cisco PIX to one of the shiny new "Adaptive Security Appliances (ASA)" from same vendor. Yes it does come with a few new features, but pretty much still looks like a PIX. Except for one little detail:
Sep 10 08:22:07 raz1-fw Sep 10 08:22:07 %PIX-3-313001: Denied ICMP type=8, code=0 from 67.x.y.z on interface outside
Sep 10 23:45:15 raz1-fw Sep 10 23:45:15 %ASA-3-313001: Denied ICMP type=8, code=0 from 64.x.y.z on interface outside
Anyone spot the difference? At least exchanging %PIX against %ASA in all log filtering regexpes is something that can be done with a script on SEC and its Bleedingsnort rules. But if you are using an off the shelf (closed source) log "correlation" product and happen to upgrade your Cisco Firewall, be wary of the peace and quiet that will set in on your alert screen...
Sep 11th 2006
1 decade ago