People are still better than machines

Regular job of a security administrator would be to analyse the logs, which is a part of the operational process. But certainly there are many interesting things rather than looking at these log files. Unless you have some kind of cool tool to analyse these logs, it is pretty hectic for security administrator to dig deeper. But I am one of those kind of people who actually likes staring at these logs (I know, I have no life). I was going through some firewall logs and found something interesting. There are the usual port scans happening for various ports:

117.10.127.105 13845 aaa.bbb.ccc.0 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.6 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.21 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.12 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.20 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.10 22 TCP
117.10.127.105 13845 aaa.bbb.ccc.41 22 TCP

The usual hits on ports 25/135/137/139/445/1433/1434/ can be found in the log file and there are the at the moment plenty of hits on 3306/3389/5900. A more unusual port to be hit was TCP 249. TCP249 however isn't that common and If you do have some captures of traffic to TCP 249 it would be interesting to analyze them. There were also a number of high ports being hit, after drilling deeper we found that they were associated with torrent and Skype traffic.

It is also interesting to check the outbound traffic. Having a look to see what it is trying to leave the network can also be enlightening. Torrent traffic seems to be fairly prevalent in the the logs. All it highlighted is that we'll have to do a regular dump of the NAT table so we can correlate the info and tag the internal user that is being silly.

The logs can show you which machines talk to the internet and for what reason. They teach you what is normal in your network, something not easily achieved by using automated tools. People are still better than machines at identifying "weird". If you have the capacity you should consider logging not just denied traffic, but also allowed traffic on the firewall. Many attacks will try and sneak through, if you log all traffic you may be able to identify it.

It may be something as exciting as a new attack, or as mundane as finding out some of your processes aren't working or being followed. You could even discover that some of your expensive tools aren't quite telling you the whole truth. Every now and then, take out your command prompt, find the "grep man page" and go nuts.