RE: What are the best open source cisco pix log analyzers?

["Robertson, Seth (JSC-IM)" <Seth.Robertson-1 () nasa gov>]

For the record I'll disagree with my own comment "there aren't any",
which was hasty. From what I know there are a much broader set of viable
options in the Linux/UNIX world than for the Windows platform...the last
time I reviewed open source firewall log analysis products the customer
insisted on a Windows server so that limited my options considerably,
and that biased my response.  That requirement is totally inappropriate
in pine's case because the two products he mentioned are Linux/UNIX.

The two links that people sent to syslog.org and loganalysis.org are the
best lists that I've come across. Again, I'm going to bite my tongue for
saying this (because it's obvious), but if you HAVE to use a Windows
machine your free/open source options are greatly limited. CiscoWorks is
great if you have the money (and it WILL cost you). I can't say you'll
need an inordinate amount more time molding an open source product to do
what you want than you would using CiscoWorks, but it will take more
time and there's obviously a different skillset required.  It will take
much less money though!

Mike didn't say it in respect of a NDA but I'll say from public
knowledge and from talking with friends there: Yahoo! uses a good deal
of open source (e.g., they're public about FreeBSD, MySQL AB) and more
power to them!  Open source was my bread and butter for some years and
I've done a tiny part here and there to contribute it too.  What I
should have said was that in my opinion there is no "Snort" of firewall
log analysis which basically dominates commercial alternatives.


Seth Robertson


-----Original Message-----
From: Mike Sweeney [mailto:mikesweeney () packetattack com] 
Sent: Wednesday, June 14, 2006 9:45 AM
To: Jeff Dell
Cc: Robertson, Seth (JSC-IM); focus-ids () securityfocus com
Subject: Re: What are the best open source cisco pix log analyzers?


On Jun 13, 2006, at 1:24 PM, Jeff Dell wrote:

> > Good luck, I'm afraid there basically aren't any.  There is the 
> > Honeynet Security Console and a Perl script called FISQ which is used

> > to import log data into the HSC database, but I didn't have much luck

> > with it.
> > For example, the name of the table my firewall data was stored in was

> > longer than 16 characters, which violated an undocumented requirement

> > for HSC to be able read data from it.  A cheap alternative is 
> > FireGen, which runs about $200.  It produces pretty good reports, but

> > isn't customizable.

Thats a funny comment given that a very large search engine company does
their own log file analysis using an inhouse tweaked open source
application. And no, I'm not going to say who or what since it is not
clear to me what exactly the NDA during the interview covered. So I have
to disagree with the comment "there arent any".  There some good ones IF
you will put in the time and effort to dial it into your needs.

Firegen is so-so. I used it for about a year on PIX firewalls and while
it worked most of the time, it was picky about how the server was set
up. It does not like terminal servers much which caused some pain.

mikesweeney () packetattack com
www.packetattack.com
Home of "Network Security using Linux"




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------