Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: INCIDENTS Digest - 8 Jun 2000 to 9 Jun 2000 (#2000-109)

From: mhoz () CITI COM MX (Martin H Hoz-Salvador)
Date: Sat, 10 Jun 2000 19:56:16 -0500

Chew Poh Chang (CAPL) wrote:


I am specifically looking for something that lets me focus on the Security
incidents in the log (as (initially) shown by Scans). I have other logs
that show me attempts against Bind, Syslog, SMTP etc, but the tools for
Firewall-1 seem to be focussed towards Mgmt & accounting, not security.


What version of firewall-1 are you using? Check Point 2000 (CP FW-1 ver 4.1 SP1)
has the so-called "Malicious Activity Detection" or MAD, which has capabilities
to detect the most widely known network-based attacks such as SYN Flood,
Network Probes, Land Attack and others. This is not a replacement for an
IDS, but it does some of that job. :-)

Another thing: The way you configured your FW rules and properties may affect
the way you get alerts. Example: Do you have user/session/client
authentication? If so, do you have the proper settings to get info for an
invalid user logon? Do you use SYN-Defender?   :-)

Now, the Reporting Module offered by Check Point can automate some of the
job. The bad thing: it costs. :-(



I am hoping that someone has a perl script that they already use for this...


Now, you may want to take a look at the Lance's Perl Script described at:

http://www.enteract.com/~lspitz/intrusion.html

It's nice and it's perl. :-) There are also another versions for that
tool which URL's are listed there.

Just as a comment. If you have Firewall-1, you may want to take a look of
the IDS from ISS (RealSecure) which has good integration with FW-1 and is
one of the most used IDS's.

Hope this helps. Regards.

--
Martin Humberto Hoz Salvador
Information Security Consultant (ISS ICU, Check Point CCSE)
Corporacion en Investigacion Tecnologica e Informatica, S.A. de C.V.
Sendero Sur  285  Col. Contry,  Monterrey,  Nuevo Leon 64860, MEXICO
Phone: +(52)(8) 357-2267 x135   Fax: +(52)(8) 357-8047
E-mail: mhoz () citi com mx        WWW:  http://www.citi.com.mx
PGPKey ID: 0x0454E8D9           ICQ Number: 31631540
Previous By Date Next
Previous By Thread Next

Current thread: