This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
AnujShrivastava
Beginner
Beginner
‎2017-04-27 02:39 AM

What Rules/Use-case should i use to track Proxy and Firewall Activity

Hi All,

 

It would be great if someone share some good Use cases or Rules which i can build or use to track Firewall and Proxy Traffic, which helps me show my client that following are the malicious activity happening through their network.

 

I have deployed a completely virtual environment using Log architecture only,  As we don't have a Packet Licence(Sad Part of the life ) ,

for example i have create one rule which tracks total download and upload Data through proxy. top 10 drops over firewall, 

 

some more good use case or rules would make my life more adventuress.

 

Thanks in Advance,

 

Anuj

0 Likes
Reply
2 Replies
JohnKisner
Trusted Contributor Trusted Contributor
Trusted Contributor
‎2017-05-02 02:29 PM

You may want to look through Live and pull in some Command and Control content. Using firewall logs you should be able to alert when countries that aren't friendly to your business are making it through the firewall. So lets say for example you want to look for country.src=russia && action=accept && device.type=firewall. This would roughly show firewall traffic coming from Russia that made it through to your internal network. You can do that with any country or any action. If you have an Event Stream Analysis appliance you could also do something like if a single internal ip address was contacted from a list of "suspicious" countries over a 5 minute period, alert on the behavior. Or even the reverse where a single "suspicious" ip address is accepted through the firewall to any number of internal ip addresses over a certain time period, then alert.

 

I hope this gives you some use case ideas.

Reply
ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2017-05-03 03:36 PM

SANS is a good source for some primers on network security and activity analysis.  This article is a little dated but the information is still relevant.  The 6 Categories of Critical Log Information .  It will give you some ideas about how to approach proxy and firewall log analysis.

 

Regards,

 

Art

0 Likes
Reply
© 2021 RSA Security LLC or its affiliates.
All rights reserved.