BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| GWF's, useless logs, and abuse desks.
GWF's(Goobers with firewalls), and logs that are missing key information seem to be a big problem these days.
Inexperienced users reporting someone pinging them as a 'DOS Attack', and logs which don't include key information like time, date, protocol, port, etc.. are really taking away from the real reports of people abusing the service.
I recently saw some logs from a version of SyGate, and they didn't even include the tcp port in the logs which makes them useless. How can an abuse desk take reports seriously if they don't even include the port?
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
reaver221
join:2003-05-08
Cincinnati, OH | I agree with you, most firewall logs flat out suck.
Even in firewalls targeted at power users, the scare tactics used in the logs amaze me. Eg, in Kerio 2.x, discarded ACK packets are logged as "ACK packet attack." WTF? |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| I use Kerio, and I don't log that Ack packet crap. I personally can't believe they did that as they are mostly just timed out packets to previously listening ports. All of my rules are custom except for the setting to block non-listening ports which shows up as 'packet to unopened port received'.
However yes, many firewalls use terms which are completely bull.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-08-06 17:47:35] |
|
reaver221
join:2003-05-08
Cincinnati, OH | reply to BlitzenZeus
Heh. Ack packets get logged if you tell Kerio to log any packets it drops due to internal (hard-coded) rules. I turned that 'feature' on because I'd like things like dropped XMAS packets to get logged. Blah. [/rant] |
|
LowWaterMark
Premium
join:2002-05-16
Wallingford, CT
| reply to BlitzenZeus
It's unfortunate that in their haste to capture market share that the personal software firewall vendors have helped to build up so much hype regarding how their products have defended people's systems from so many "attacks".
People who have no other information source are going to believe it, of course, and if they do figure out how to send their alerts to their ISPs, then, well that's where this problem just keeps getting worse and worse.
There are millions of people with these types of firewalls and even if only a small percentage send in reports, I'm sure it overwhelms the abuse depts. Which means when there is a real need to report something, the chance of the serious report getting through to the right people is a lot less.
I guess that's why I prefer the use of joint reporting, like what myNetwatchman does. It they get recognized by more and more ISPs as only sending in serious reports then at least something can be done.
--
Use the most powerful combo Firewall/AV/AT package available - "Common Sense" - It can be upgraded daily! |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| Many of the programs are popular, but I think that users should demand full logs from their firewalls. If not boycott them, but many people do not even understand the logs so they don't care.
myNetwatchman is a useful service, and more people should use it if they are serious about reporting events.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| said by BlitzenZeus  :
Many of the programs are popular, but I think that users should demand full logs from their firewalls. If not boycott them, but many people do not even understand the logs so they don't care.
myNetwatchman is a useful service, and more people should use it if they are serious about reporting events.
Even with full logs from firewalls most folks can't understand them, or even WHAT to report. I just use MyNetWatchman and keep these links handy for anyone who doesn't totally understand what is in those logs and wants to report (or even interpret them).
MyNetWatchman
»www.mynetwatchman.com/
DShield.org
»www.dshield.org/
--
It takes a disaster to make a woman out of a female |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to BlitzenZeus
I gave up trying to inform ISP etc about attacks etc as it takes far more time then its worth (find out who the proper contact was, collect and assemble evidence etc). I also bothered me as to how little was done sometimes I would see the same attack from the same IP for months and even after numerous notifications to the ISP. I don't think my notifications classed me as a GWF as attached samples of my notifications will hopefully prove (what else could they possibly want?). I do agree that systems like myNetWatchman, DShield and DeepSight are great ideas for most people.
I would find it rather humorous how many abuse folks had never heard of or didn't know what UTC was (see »greenwichmeantime.com/info/utc.htm ). I wonder how many would know what Zulu time was, as that would be a bit of a give away to possible past career  .
Lately I've been using messages sent directly to the infected system ( see »Would this be considered spam? for more about this), which has worked rather well.
Blake |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to BlitzenZeus
Add another to the worthless logs list, Outpost... The logs don't even record the local port for tcp and udp communications, and report icmp incorrectly. It doesn't even list what type of icmp packet it was...
I'm testing Outpost right now, and for how much work they put into the firewall I can't believe how they could leave key information out of the logs.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-08-07 21:18:55] |
|
B
Premium,MVM
join:2000-10-28 | reply to BlitzenZeus
I guess I'm not as geeky as I feared. I thought "GWF" was Gay White Female. Not that there's anything wrong with that.
-- B |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
|  said by B :
I guess I'm not as geeky as I feared. I thought "GWF" was Gay White Female. Not that there's anything wrong with that.
-- B
That one is #3, clearly ahead of #5 on this list LOL, but I fit in category #5 and let someone else who understands the darn firewall logs to do the interpreting and reporting for me.
GWF Galaxy Warfare (gaming)
GWF Gated Waveform
GWF Gay White Female
GWF Global Warming Factor
GWF Goober with Firewall (used by network administrators for paranoid users with personal firewalls)
GWF Good Work Fella
»www.acronymfinder.com/ ---#1 on my Fav's list
Gated Waveform? I don't think I want to know
--
It takes a disaster to make a woman out of a female |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to BlitzenZeus
BZ,
Now, how the heck did this thread get this far without anyone ever defining a minimum set of information to be included in any sort of usable log? 
As I recall, there actually is a standard for this. Unfortunately, it went up in smoke on my old favorites list. I thought it was an IETF working group product, but a quick scan didn't turn it up. Perhaps, it's from w3c.org?
I hate it when I lose a huge list of bookmarks!
--
Regards, Joseph V. Morris |
|
safemode
@edu.my
| reply to BlitzenZeus
"Add another to the worthless logs list, Outpost... The logs don't even record the local port for tcp and udp communications,..."
if i understand you correctly, looks for "Add/Remove Columns" at the 'View' menu & it will display what item you want it to show. |
|
