Thursday, May 04, 2006

Why Analyze Firewall Logs?

I don't know how many times I've heard network admins to say something to the effect of "Don't waste your time looking at firewall logs". Sure I can ignore it like everyone else and sometimes I have to - because I have to get other work done. But here is one of the benefits of analyzing your firewall logs periodically.

When I first reviewed the logs there were about 26,000 hits in one day. I went through the ports and errors and found some mail problems - DNS records that were missing MX records, and a newsletter that wasn't allowing bounces through. I was able to reduce that down to about 1000 per day.

By further analyzing the logs and blocking out Asian hacker ips and reporting hackers to networks for a couple of days, I was able to get that down to about 450.

Here's our China Hacker Database - also Taiwan, Korea, etc..

Maybe if I used one of those automated programs and had more time I could get that down even further. I did notice however that the automated program mentioned in this blog only sends a report abuse after a certain threshold is reached and that is probably why a lot of hackers are sending one line at a time. So sometimes further analysis is needed even in the case where you have an automated program helping you out.

So how are hacker wanna bes reported? Go to your firewall log, cut and paste the lines with time, date, incoming ip and port, outgoing ip and port. Paste it in an email. Copy the incoming IP and go over to and look it up. Copy the abuse email and send it out. Of course this only works for low volume situations, but if everyone started doing this the networks would have patterns to track down abuses from multiple people.

That's my take on why analyzing your firewall logs periodically is a good idea!