- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-i.html
- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-ii.html
- http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-iii.html
- http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewall-part-iv.html
- http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewalls-part-v.html
- http://technet.microsoft.com/en-us/network/bb545423.aspx
- http://msdn.microsoft.com/en-us/library/aa366453(v=VS.85).aspx
- http://msdn.microsoft.com/en-us/library/ee663289(v=VS.85).aspx
- http://www.microsoft.com/downloads/en/details.aspx?FamilyId=DF192E1B-A92A-4075-9F69-C12B7C54B52B&displaylang=en
There are several issues with parsing information from Windows Firewall logs:
- Windows Firewall is one of three native sources of network data offered by Microsoft, the other two being Network Monitor and ETL (Kernel TCP/IP and NDIS Capture)Tracing,
- Windows Firewall must be configured for complete logging and the logging file rotates only one file (*.old) by default.
- The log file can be exceptionally large depending on configuration.
- A comparison of destination IPs to the external Firewall 'Block' list.
- A comparison of destination or source IPs to the ISCs (daily list) of top 100 IPs.
- A comparison of destination or source IPs to the "Stop Badware" database.
- A subset of IPs known as business competitors.
- A chronology of outbound activity on "known suspect" ports.
- A chronology of outbound activity on "known good" ports used for suspect activity.
- A chronology of outbound activity on either "known good" or "known suspect ports" to targets that are not part of "previously known profile" for those ports.
'DROP UDP 192.168.0.15 255.255.255.255 68 67 RECEIVE'
- Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255")?
- Would it be expected behavior for the srcIP ("192.168.0.15") to RECEIVE data from the dstIP ("255.255.255.255") on dstPort ("68")?
- What is the expected 'action' for either case? (e.g. DROP or ALLOW)?
[1] By default located at 'C:\Windows\System32\LogFiles\Firewall\pfirewall.log'
This comment has been removed by a blog administrator.
ReplyDelete