This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

What Rules/Use-case should i use to track Proxy and Firewall Activity

AnujShrivastava
Beginner
Beginner

‎2017-04-27 02:39 AM

Hi All,

 

It would be great if someone share some good Use cases or Rules which i can build or use to track Firewall and Proxy Traffic, which helps me show my client that following are the malicious activity happening through their network.

 

I have deployed a completely virtual environment using Log architecture only,  As we don't have a Packet Licence(Sad Part of the life ) ,

for example i have create one rule which tracks total download and upload Data through proxy. top 10 drops over firewall, 

 

some more good use case or rules would make my life more adventuress.

 

Thanks in Advance,

 

Anuj

0 Likes
2 REPLIES 2

JohnKisner
Valued Contributor Valued Contributor
Valued Contributor

‎2017-05-02 02:29 PM

You may want to look through Live and pull in some Command and Control content. Using firewall logs you should be able to alert when countries that aren't friendly to your business are making it through the firewall. So lets say for example you want to look for country.src=russia && action=accept && device.type=firewall. This would roughly show firewall traffic coming from Russia that made it through to your internal network. You can do that with any country or any action. If you have an Event Stream Analysis appliance you could also do something like if a single internal ip address was contacted from a list of "suspicious" countries over a 5 minute period, alert on the behavior. Or even the reverse where a single "suspicious" ip address is accepted through the firewall to any number of internal ip addresses over a certain time period, then alert.

 

I hope this gives you some use case ideas.

ArthurCostigan1
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2017-05-03 03:36 PM

SANS is a good source for some primers on network security and activity analysis.  This article is a little dated but the information is still relevant.  The 6 Categories of Critical Log Information .  It will give you some ideas about how to approach proxy and firewall log analysis.

 

Regards,

 

Art

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.