From: Ajit Kunjal (akunjal~AT~rci.rutgers.edu)
Date: Wed Nov 26 2003 - 19:04:36 CET
I am rather new to the "report generation" world. So, kindly excuse my ignorance in some matters. We are using logs from our Cisco PIX firewall to generate the reports. My experiences are listed below. If you can help me to get on the right track, I would really appreciate it. The versions of Analog and Fwanalog are 5.32 and 0.6.3 respectively.
Nov 18 07:10:17 xyz.rutgers.edu Nov 18 2003 08:05:06: %PIX-4-106023: Deny udp src outside:220.127.116.11/68 dst inside:xxx. xxx.99.74/67 by access-group "inbound"
Nov 18 07:10:15 xyz.rutgers.edu Nov 18 2003 08:05:04: %PIX-3-106010: Deny inbound udp src outside:18.104.22.168/138 dst in side:xxx.xxx.99.127/138
The PIX-4 entries work fine, however, all of the PIX-3 entries are ignored and marked as erroneous by Analog. Is it because the formats are of a different type? Is there any way to fix this within Fwanalog or would I have to "sanitise" the logs before I give it to Fwanalog for processing?
2) The Blocked Packet Report gives the list of "Destination" hosts and the Packet Source Host Report gives a list of the "Source" hosts. Is this observation correct?
3) Is there any way that I can get a listing of the Class C addresses of the intruding source hosts? The Organization Report seems to give the Class B addresses.
4) Is it possible to get a report with the Source and Destination hosts together? Or is this option limited by Analog's definition of it's input?
5) Is it possible to sort the Blocked Packet Report based on the port numbers rather than the number of blocks? This is useful when you would want to see which hosts are exhibiting a particular vulnerability.
This archive was generated by hypermail 2.1.5 : Wed Nov 26 2003 - 19:22:03 CET