6 Replies Latest reply on Jun 24, 2014 4:31 PM by pmcdougal

    LEM Security Rules for Firewall Logs

    byrona

      I currently have my firewall(s) set to send all of their logs to LEM which includes log data for pretty much all network traffic.  I am curious if anybody has any good suggestions or pointers on rules that can be configured to help identify potential security concerns?

       

      I am am looking for more broad rules and less environment specific rules that might be used.  In security forums I have read lots of articles that say what great security insight you can get and how you can detect potential problems when using a SIEM such as LEM in conjunction with your firewall logs; however, they never actually suggest best practices on how one might achieve this.

       

      I look forward to hearing thoughts on this, thanks in advance for sharing!

        • Re: LEM Security Rules for Firewall Logs
          evanr

          We struggle with this as well.  As far as LEM is concerned I don't have any rules to give out that would help.  We have gone the route of setting up traps to alert us.  So for example I want to be alerted to scanning attempts via burst rate threshold %733105.  I would set up my SNMP trap via SAM that also logs it to LEM for archival purposes.  Same way with our IDS system.  In alot of cases we get tons of unmatched data so we don't use LEM exclusively for alerting in these instances.  Canned nDepth searches Network Suspicious, Network Attack and Security Alerts have been helpful in identifying those anomalous events that occur.  But there is no magic bullet.  It's a constant back & forth of viewing log files, tweaking settings, and trying to leverage LEM for alerts.  When it comes to network devices we definitely use LEM more as a log receptacle than an actual IDS/IPS device. 

            • Re: LEM Security Rules for Firewall Logs
              byrona

              Yeah, I hear ya.  For those unmatched events, if it's a supported device you can export a report and send it to SolarWinds and they will upgrade the connector for it; I have done that several times with the Fortinet connector.

               

              It just seems that LEM has so much potential in playing a significant role as part of an IDS/IPS solution; however, I am still struggling to tap that potential.

                • Re: LEM Security Rules for Firewall Logs
                  evanr

                  Oh nice.  I will have to take advantage of that. 

                   

                  Yes I agree.  It's a great tool and has made my life considerably easier.  I am interested to see how it continues to evolve in the IDS/IPS realm.  We are still utilizing a dedicated box simply because we can change/tweak it how we see fit.  You can't do that with a hardened appliance.  (Well technically you could with chroot) but then that opens up a whole can of worms regarding terms of use..etc.  The future is definitely bright though. 

              • Re: LEM Security Rules for Firewall Logs
                pmcdougal

                There is alot of different things in these replies to address.  If I miss any, my apologies. 

                 

                LEM can primarily be used in conjunction with your firewalls to look for failed logon attempts(Template Critical Account Logon Failure - See my forum post Mastering the filter/rule Creation Engine... for additional details

                ), change management( PolicyModify events), unauthorized web site activity, looking for spyware sites(Known Spyware Site traffic), etc...  

                 

                As for IDS/IPS with the LEM: LEM actually has Snort built into it.  In order to use this function you would have to map a physical NIC in promiscuous mode to the virtual appliance(hyperV can't do promiscuous mode, I don't believe).  You will also have to mirror a network port on one of your switch for the network segment being monitored.