What to Look for in Firewall Logs

After you have collected the firewall logs and begun the process of analyzing the logs, determine the you should be looking for in the logs. With that said, it is important to remember not to fall into the looking in your firewall logs only for "bad" events. Yes, firewall logs can be the key element in discov incidents and compromises, but that is only one of the reasons for analyzing your logs. You also war to use the log information to assist in defining the baselines and normal operations of the firewall. A the easiest ways to know whether behavior that has been logged is malicious is to know what the go and then note the exceptions.

The simple fact of the matter is that certain events should always raise suspicion when they are dete the most common events that warrant further investigation are as follows:

• Authentication allowed.

• Traffic dropped (not addressed to the firewall).

• Firewall stop/start/restart.

• Firewall configuration changed.

• Interface up/down status changed.

• Administrator access granted.

• Connection was torn down.

• Authentication failed.

• Traffic dropped (addressed to the firewall).

• Administrator session ended.

The following sections explain these events in more detail. Authentication Allowed

Although it may seem rather innocuous at first glance, it is important to look for authentication-allow because they can identify situations where access was granted by the firewall when it should not hav allowed. The reasons can range from legitimate administrators logging on when they should not hav users logging on after compromising the account and password that they are using.

In addition, if your firewall is configured to authenticate user access, this event can be used to ident have been authenticated for whatever function they are attempting to perform.

Traffic Dropped (Not Addressed to the Firewall)

Most firewalls will have some resources that they are protecting. Traffic addressed to these servers < be processed by the firewall and filtered accordingly. Although traffic-dropped messages can indicate someone is attempting to access a protected resource in a manner other than what the firewall adm defined, a common cause of this event is a simple misconfiguration of the ruleset. Therefore, if user access protected resources, it is important to review the logs to determine whether the firewall is dr traffic, thereby pointing you in the direction of what may need to be fixed to provide access to the r< requested.

Firewall Stop/Start/Restart

The firewall should never stop, start, or restart without the firewall administrator knowing in advanc situation is going to occur. This event can be caused by non-firewall-specific issues such as power fa as by firewall-specific issues such as the firewall crashing or a high-availability failover, and therefor always be investigated in more detail to ascertain the root cause.

Firewall Configuration Changed

Almost all firewall configuration changes should be accompanied with the appropriate change contro documentation. This event always warrants further investigation to ensure that the changes that we legitimate and in accordance with expected results. In fact, many SIM products can be configured tc comparison of the changed configuration against a "known good" configuration when a firewall confi changed event occurs. In fact, some products such as NetIQ Security Manager can actually use that to attempt to undo the changes that were made if they are found to be out of compliance with the k configuration.

Interface Up/Down Status Changed

Firewall interfaces transitioning from an up to a down status and vice versa can indicate problems w underlying network configuration. This information can prove particularly helpful in situations where firewalls are implemented, because the network interfaces transitioning to a down state could cause failover process to occur.

Administrator Access Granted

Whenever administrator access is granted, the corresponding event should be investigated. Althoug monitoring for authentication, in this case we are looking explicitly at gaining administrator access. access is expected, and there is nothing suspicious or out of order that warrants further review. Hov is not the case, this event rapidly becomes an extremely high-priority situation that must be investie the implication can be that an administrator account has been compromised.

Connection Was Torn Down

The termination of connections is a relatively routine process that is a part of normal communicator event is particularly important, however, is in listing the reason why the connection was torn down. the connection may have been torn down as a result of SYN timeout, which can be an indicator that attempting to cause a denial of service, especially if there are a lot of events of that nature. In detei cause of the connection tear down, it is important to review the firewall documentation for the teard For example, Cisco Secure PIX Firewall version 7.0 message ID 302014 lists the potential reasons fo connection being torn down as shown in Table 12-3.

Table 12-3. TCP Connection Teardown Reasons




Connection ended because it was idle longer than the idle timeout.

Deny Terminate

Flow was terminated by application inspection.

Failover primary closed

The standby unit in a failover pair deleted a connectioi of a message received from the active unit

FIN Timeout

Force termination after 10 minutes awaiting the last A half-closed timeout.

Flow closed by inspection

Flow was terminated by inspection feature.

Flow terminated by IPS

Flow was terminated by IPS.

Flow reset by IPS

Flow was reset by IPS

Flow terminated by TCP intercept

Flow was terminated by TCP Intercept.

Invalid SYN

SYN packet not valid.

Idle Timeout

Connection timed out because it was idle longer than t value.

IPS fail-close

Flow was terminated due to IPS card down.

SYN Control

Back channel initiation from wrong side.

SYN Timeout

Force termination after 2 minutes awaiting three-way completion.

TCP bad retransmission

Connection terminated because of bad TCP retransmis


Normal close-down sequence.

TCP Invalid SYN

Invalid TCP SYN packet.

TCP Reset-I

Reset was from the inside.

TCP Reset-O

Reset was from the outside.

TCP segment partial overlap

Detected a partially overlapping segment.

TCP unexpected window size variation

Connection terminated due to variation in the TCP win

Tunnel has been torn down

Flow terminated because tunnel is down.

Unauth Deny

Denied by URL filter.


Catchall error.

Xlate Clear

Command-line removal

As you can see, reasons such as "Unauth Deny" or "Flow closed by inspection" can be indicators of r traffic and warrant more concern and investigation than a reason such as "TCP ResetI" (which is a n of applications terminating their communications session).

Authentication Failed

Authentication-failed events can be indicators of everything from users making a typo when they en password to malicious users making a brute-force attack in an attempt to determine the password. Authentication-failed events should be examined in particular detail when the account in question is or administrator-level account.

Traffic Dropped (Addressed to the Firewall)

These events are similar to the traffic dropped that is not addressed to the firewall, with the obvious being that in this case the traffic is addressed to the firewall. As a general rule, the firewall should n traffic addressed directly to it on the external interface; instead, all traffic should be destined for the being protected by the firewall. These events can be indicators of malicious users attempting to gair firewall or a misconfiguration of things such as ICMP, IPsec, or management or routing protocols am should be investigated in more detail to determine the exact nature of why the traffic was dropped.

Administrator Session Ended

Similar to administrator access being granted, administrator sessions ending should be monitored tc the administrator who had access was supposed to have access. This type of event can also be used benchmark because only administrators should be able to make changes to the firewall, and therefo should be investigated in more detail for the time preceding the administrator session ending to see commands may have been run.

Was this article helpful?

+2 0
Basic SEO Explained

Basic SEO Explained

Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For? Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do it on your own so you can repeat the process on any future site you build?

Get My Free Ebook


  • bruno
    What to look for in my firewall logs?
    1 year ago
  • kristian
    What to look for in firewall event log?
    1 year ago

Post a comment