[lug] IPcop / Smoothwall log help

[David Anselmi]

Daniel Webb wrote:
> On Thu, Jun 23, 2005 at 09:33:59AM -0700, Matt James wrote:
> 
>>     Not being a Linux security expert I was hoping that some one in
>>this group might be able to help out a newbie.
[...]
>>Any help or direction would be greatly appreciated.
> 
> My experience is that if you're on a fixed IP address, you'll get hammered
> constantly with scanners of all types.  For that reason, watching the firewall
> log files for security reasons is a waste of time in my opinion.

Not to mention that most likely the firewall logs what it knows enough 
to block.  You might learn something looking at attacks from the 
Internet that get blocked but they aren't very relevant.  (Now if you 
look at the traffic and figure out how to reproduce it, you can learn a 
bunch.  But that takes time.)

The interesting stuff is the stuff that your firewall doesn't block.  So 
your IDS should only look at your inside network because you care about 
what it reports there, especially if it's something you think the 
firewall is blocking.  (You can find security admins who swear by IDS on 
the Internet side.  Sometimes they're just clueless and sometimes they 
can actually make use of that data.  But for you I'd say don't bother.)

As to understanding the logs, you probably just need to learn more about 
how TCP/IP works.  Stevens's "...Illustrated" series (just volume 1) is 
the best treatment of that I've seen.  If you don't want to go in for a 
whole book, google for tcp/ip tutorial and start reading.  Skip anything 
that you don't understand the first few sections of.  This one might be 
a good place to start:

http://www.faqs.org/rfcs/rfc1180.html

If you want help in person, watch for the next installfest and let the 
list know you'll be there looking for this kind of help.  I'm sure you 
could get help if you printed your logs and asked around at a meeting too.

Dave