Firewall Wizards mailing list archives

RE: Log checking?

From: "Ben Nagy" <ben () iagu net>
Date: Wed, 29 Sep 2004 11:58:13 +0200

I think there is some mileage to be had in logging the volume of denied
outbound traffic over time. Spikes in things like IRC, HTTP to funny ports,
TFTP etc can be great indicators of infection with various kinds of malware.
And of course all that stuff would already be blocked outbound, right? ;)

I was just talking to a customer about ten minutes ago who identified a new
agobot variant that way.

I would agree that logging denied inbound is good for nothing but wasting
disk space and the occasional chuckle, unless you are interested in helping
people like ISC graph global attack trends.

I think that there are even some commercial systems that do this for a
living, but I don't know very much about them.

Cheers,

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Log checking?, (continued)
- Re: Log checking? Adrian Grigorof (Sep 30)
- Re: Log checking? ArkanoiD (Sep 30)
- Re: Log checking? Paul D. Robertson (Sep 30)
- Re: Log checking? Devdas Bhagat (Sep 30)
- Re: Log checking? Mark Tinberg (Sep 30)
  - Re: Log checking? Paul D. Robertson (Sep 30)
- RE: Log checking? Desai, Ashish (Sep 28)
  - Re: Log checking? Adam Shostack (Sep 28)
- RE: Log checking? Luke Butcher (Sep 28)
  - RE: Log checking? Paul D. Robertson (Sep 28)
    - RE: Log checking? Ben Nagy (Sep 30)
    - RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Rodel Collado Urani (Sep 30)
- RE: Log checking? Fiamingo, Frank (Sep 30)
- RE: Log checking? Larry Pitcher (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
  - RE: Log checking? Paul D. Robertson (Sep 30)