Firewall Activity analysis

All,

I have been working on firewall activity analysis for Pix firewalls for a while. I have written a perl script that parses the log files and puts all of the data into an Access database. This allows me to run queries such as “List all successful TCP connections for everyone who had more than 1 explicit denied connection”.

This is an explicit (rigid ?) way to flag bad behavior. However I was wondering it makes sense (now that all of the data is in a database) to attempt statistical analysis of this data to flag bad behavior.

I could look at the HTTP bytes, or number of connections, or time (etc) and flag source IPs that deviate from the norm by a certain amount. I could do this without setting hard limits (such as ‘list the top 1% incoming HTTP users’) which would limit that amount of IPs flagged as bad. Of course this would be applicable to any protocol.

The goal of this is to flag suspicious communications that should be more thoroughly investigated.

At this point this is a mental exercise but I was wondering if anyone had any thoughts or opinions on the matter.  
PS - This is based on my somewhat tenuous grasp of statistical analysis.

Thanks.

Terry Received on Wed Dec 11 13:35:51 2002

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek