Similar to gatekeepers on your network, firewalls control what enters and leaves. They produce logs that document every action that goes through them. It is essential for a Security Operations Center (SOC) analyst to comprehend these logs. Let’s simplify the process of interpreting firewall logs.
Step 1: Verify the IP and port details
The IP addresses and port numbers in a firewall log are the first things you should check. Consider an IP address to be a computer’s “home address” on a network, and consider a port to be a particular “room” in that home where communication takes place. The log will show the source IP (where the traffic comes from) and the destination IP (where the traffic is going), along with the port numbers used.
Step 2: Recognize the Section on Action
A log’s “action” section describes the firewall’s actions about the traffic. The typical activities you may witness are as follows:
Accept: Traffic was permitted to flow through.
Deny: The sender was informed and the traffic was stopped.
Drop: The sender was not informed and the traffic was blocked.
Close: Both parties agreed to end the communication.
Client-first: The client (the one who initiated the communication) terminated it.
Server-rst: The server, which is the recipient of the communication, terminated it.
Logs contains different information. Here is a list of what you can expect to see when you review one.
date= Date
time= Time
devname= Hostname
devid= Device ID
eventtime= 1653131198230012501
tz= time zone
logid= Log ID
type= Log Type (traffic, utm, event, etc.)
subtype=Sub Log Type (Forward, vpn, webfilter, virus, ips, system, etc.)
level= log level
srcip= Source IP Address
srcname= Source Hostname
srcport= Source Port
srcintf= Name of the Source Interface
srcintfrole= Role of the Source Interface
dstip= Destination IP Address
dstport= Destination Port
dstintf= Name of the Destination Interface
dstintfrole= Role of the Destination Interface
srccountry= Source IP information (Country)
dstcountry= Destination IP information (Country)
action= info on the action taken (drop, deny, accept, etc.)
service= service information
transip= NAT IP info (internal output of the private source address)
transport= NAT port info
duration= time elapsed
sentbyte= size of the packets sent (byte)
rcvdbyte= size of the packets received (byte)
sentpkt= number of the packets sent
rcvdpkt= number of the packets received
Step 3: Use Source and Destination Filters
You can filter the logs by source and destination IP addresses to simplify your work. This makes it easier for you to locate pertinent information fast, particularly when looking into a specific incident.
To provide a simple overview on how to read firewall logs, I decided to use LetsDefend.io’s Firewall Log Analysis module as an example.
In this module, Letdefend provides a file to review and asks questions for us to answer.
We are provided a file by LETSDEFEND for us to decipher what is going on and questions for us to put out the steps mentioned above to work.
Question: How many different ports did the attacker attempt to access?
Answer: 12
To answer this question I focused on finding all the different dstport I could find in log where the action=deny.
Question: What kind of attack/activity could have been made according to the logs above?
A) Brute-Force Attack
B) Port-scan activity
C) TCP-SYN-Flood Attack
D) No suspicious activities detected
Answer: B) Port-scan activity
By looking on whats in the log file and seeing how traffic is being denied access through certain ports, it is clear that the answer port scan activity.
Question: How many open ports did the attacker detect?
Answer: 3
action=allow will let you know what traffic has been allowed through the port)
Question: Will the attacker get a response from the Firewall stating that its access request was blocked?
Answer: Yes
In the log file, we can see that the traffic is displaying as deny. If we refer back to the action list we can see that deny will mean that the sender will be informed that the traffic was stopped.
In conclusion, at first, reading firewall logs may appear difficult, but with step-by-step instructions, it gets lot easier. Start with the fundamentals: verify the IP and port details, understand the firewall’s activity, and refine your results to focus on relevant data. With some experience, you’ll discover that these logs are crucial for maintaining the security of your network and for swiftly and efficiently handling accidents.