What Rules/Use-case should i use to track Proxy and Firewall Activity
It would be great if someone share some good Use cases or Rules which i can build or use to track Firewall and Proxy Traffic, which helps me show my client that following are the malicious activity happening through their network.
I have deployed a completely virtual environment using Log architecture only, As we don't have a Packet Licence(Sad Part of the life ) ,
for example i have create one rule which tracks total download and upload Data through proxy. top 10 drops over firewall,
some more good use case or rules would make my life more adventuress.
Thanks in Advance,
- Application Rules
- Community Thread
- correlation rule
- firewall use case
- Forum Thread
- proxy rules
- RSA NetWitness
- RSA NetWitness Platform
- RSA Security Analytics
You may want to look through Live and pull in some Command and Control content. Using firewall logs you should be able to alert when countries that aren't friendly to your business are making it through the firewall. So lets say for example you want to look for country.src=russia && action=accept && device.type=firewall. This would roughly show firewall traffic coming from Russia that made it through to your internal network. You can do that with any country or any action. If you have an Event Stream Analysis appliance you could also do something like if a single internal ip address was contacted from a list of "suspicious" countries over a 5 minute period, alert on the behavior. Or even the reverse where a single "suspicious" ip address is accepted through the firewall to any number of internal ip addresses over a certain time period, then alert.
I hope this gives you some use case ideas.
SANS is a good source for some primers on network security and activity analysis. This article is a little dated but the information is still relevant. The 6 Categories of Critical Log Information . It will give you some ideas about how to approach proxy and firewall log analysis.