• State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 23 subscribers
  • Views 856 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM Security Rules for Firewall Logs

byrona

I currently have my firewall(s) set to send all of their logs to LEM which includes log data for pretty much all network traffic.  I am curious if anybody has any good suggestions or pointers on rules that can be configured to help identify potential security concerns?

I am am looking for more broad rules and less environment specific rules that might be used.  In security forums I have read lots of articles that say what great security insight you can get and how you can detect potential problems when using a SIEM such as LEM in conjunction with your firewall logs; however, they never actually suggest best practices on how one might achieve this.

I look forward to hearing thoughts on this, thanks in advance for sharing!

  • 0

    We struggle with this as well.  As far as LEM is concerned I don't have any rules to give out that would help.  We have gone the route of setting up traps to alert us.  So for example I want to be alerted to scanning attempts via burst rate threshold %733105.  I would set up my SNMP trap via SAM that also logs it to LEM for archival purposes.  Same way with our IDS system.  In alot of cases we get tons of unmatched data so we don't use LEM exclusively for alerting in these instances.  Canned nDepth searches Network Suspicious, Network Attack and Security Alerts have been helpful in identifying those anomalous events that occur.  But there is no magic bullet.  It's a constant back & forth of viewing log files, tweaking settings, and trying to leverage LEM for alerts.  When it comes to network devices we definitely use LEM more as a log receptacle than an actual IDS/IPS device. 

  • 0 in reply to evanr

    Yeah, I hear ya.  For those unmatched events, if it's a supported device you can export a report and send it to SolarWinds and they will upgrade the connector for it; I have done that several times with the Fortinet connector.

    It just seems that LEM has so much potential in playing a significant role as part of an IDS/IPS solution; however, I am still struggling to tap that potential.

  • 0 in reply to byrona

    Oh nice.  I will have to take advantage of that. 

    Yes I agree.  It's a great tool and has made my life considerably easier.  I am interested to see how it continues to evolve in the IDS/IPS realm.  We are still utilizing a dedicated box simply because we can change/tweak it how we see fit.  You can't do that with a hardened appliance.  (Well technically you could with chroot) but then that opens up a whole can of worms regarding terms of use..etc.  The future is definitely bright though.  emoticons_cool.png

  • FormerMember
    0 FormerMember in reply to evanr

    Do you mean help catch security events that might help you detect an intrusion or attempted intrusion, or using LEM as an IDS/IPS?  I could not imagine getting LEM tuned enough to actually be the IDS/IPS!  I could seeing sending IDS/IPS logs to LEM and triggering off of the logs.

    As a tools to "see" intrusions though, it can be very helpful!

  • 0 in reply to FormerMember

    It would be nice to be able to use LEM as the IDS/IPS.  But yes I don't feel it fits those requirements yet.  That's what we do currently is send our log data to LEM and then use LEM to send us the appropriate triggers.

  • 0

    There is alot of different things in these replies to address.  If I miss any, my apologies. 

    LEM can primarily be used in conjunction with your firewalls to look for failed logon attempts(Template Critical Account Logon Failure - See my forum post Mastering the filter/rule Creation Engine... for additional details

    ), change management( PolicyModify events), unauthorized web site activity, looking for spyware sites(Known Spyware Site traffic), etc...  

    As for IDS/IPS with the LEM: LEM actually has Snort built into it.  In order to use this function you would have to map a physical NIC in promiscuous mode to the virtual appliance(hyperV can't do promiscuous mode, I don't believe).  You will also have to mirror a network port on one of your switch for the network segment being monitored. 

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.