The report below is a sample of a report generated by a firewall under actual use. Note that the security alerts are sorted separately and presented at the top of the report from the other information. Alerts differentiate between security alerts, system configuration errors, and “other” information. Note the last line in the “other” section; the system disk has overflowed. One advantage of the Gauntlet “tell me what to ignore rather than what to look for” auditing system is that it effectively provides warnings for normal system error messages, such as overflowed disks, disk errors, memory problems, and so on.
From root Fri Sep 23 10:30:03 1994 Received: by your.domain; id KAA02230; Fri, 23 Sep 1994 10:30:03 -0400 Date: Fri, 23 Sep 1994 10:30:03 -0400 From: System Administrator <root> Message-Id: <199409231430.KAA02230@your.domain> To: firewalladmin Subject: 09/23/94:10.30 system check Status: R Possible Items of Interest -------------------------- Sep 23 10:16:11 localhost authsrv[2176]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:16:13 localhost authsrv[2176]: BADAUTH root (rlogin-gw unknown/192.33.112.117) Sep 23 10:18:12 localhost authedit[2185]: root ENABLED USER mjr Sep 23 10:18:52 localhost authsrv[2188]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:18:55 localhost authsrv[2188]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:19:03 localhost authsrv[2188]: BADAUTH nobody (rlogin- gw unknown/192.33.112.117) Sep 23 10:19:05 localhost authsrv[2188]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:19:10 localhost authsrv[2190]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:19:13 localhost authsrv[2190]: BADAUTH mjr (rlogin-gw unknown/192.33.112.117) Sep 23 10:19:14 localhost authsrv[2190]: BADAUTH mjr too many tries (rlogin-gw unknown/192.33.112.117) Sep 23 10:20:00 gauntlet kernel: uid 0 on /: file system full |
The report below is a shortened sample of a report generated by a firewall under actual use. The first section of the report lists electronic mail traffic, decomposed into senders, and recipients sorted in order of greatest usage in terms of data amount and number of messages. Though the system logs contain information cross-referencing sender and recipient, that information is not included in the reports, to protect the privacy of the firewall's users. Summaries of the top users who authenticate to the firewall, as well as FTP traffic and network service access by type, are included.
Electronic Mail Usage ---------------------------------------------------------------- Total messages: 31955 (173357 Kb) Top 20 mail recipients (in messages) Messages Count Kb Address ----- -- ------- 714 2411.0 avolio@tis.com 654 1986.8 mjr@tis.com 180 631.0 fwall-users-request@tis.com 168 288.5 dave@tis.com 87 259.6 firewalls@tis.com Top 20 mail senders (in messages) Messages Count Kb Address ----- -- ------- 17146 76358.9 fwall-users-request@tis.com 1753 4775.3 mjr@tis.com 567 1368.1 dave@tis.com 261 778.1 firewalls-owner@greatcircle.com 154 433.4 avolio@tis.com Top 20 mail recipients (in kilobytes) Messages Count Kb Address ----- -- ------- 714 2411.0 avolio@tis.com 654 1986.8 mjr@tis.com 180 631.0 fwall-users-request@tis.com Top 20 mail senders (in kilobytes) Messages Count Kb Address ----- -- ------- 17146 76358.9 fwall-users-request@tis.com 1753 4775.3 mjr@tis.com 567 1368.1 dave@tis.com 261 778.1 firewalls-owner@greatcircle.com User Logins ---------------------------------------------------------------- Top 20 permitted user authentications (total: 173) Logins User ID ------ ------- 30 dave 7 avolio 5 mjr_s Top 20 failed user authentications (total: 77) Attempts Username -------- -------- 9 anonymous 6 connect 2 tis 2 mjr_s 2 guest 2 dave 2 bob 2 ? 1 whitehousr 1 user 1 system Authentication Managment Operations ----------------------------------- administrator PASSWORD mjr FTP Proxy usage ---------------------------------------------------------------- FTP service users (total: 153) Connects Host/Address -------- ------------ 120 sol.tis.com/192.33.112.100 6 magellan.tis.com/199.171.39.124 6 kaos.tis.com/192.33.112.218 6 frodo.tis.com/199.171.39.94 4 ziggy.tis.com/192.33.112.161 3 hilo.tis.com/192.33.112.120 2 polaris.tis.com/192.33.112.172 2 hobbs.tis.com/199.171.39.134 1 unknown/150.211.40.151 1 odie.tis.com/199.171.39.132 FTP service output thruput (total Kbytes: 29568) KBytes Host/Address ------ ------------ 29332 kaos.tis.com/192.33.112.218 235 sol.tis.com/192.33.112.100 FTP service input thruput (total Kbytes: 60875) KBytes Host/Address ------ ------------ 58925 sol.tis.com/192.33.112.100 1133 frodo.tis.com/199.171.39.94 397 magellan.tis.com/199.171.39.124 257 hilo.tis.com/192.33.112.120 128 polaris.tis.com/192.33.112.172 17 kaos.tis.com/192.33.112.218 14 ziggy.tis.com/192.33.112.161 Telnet/Rlogin Proxy Usage ---------------------------------------------------------------- Top 20 telnet gateway clients (total: 330) Connects Host/Address Input Output Total -------- ------------ ----- ------ ----- 84 sol.tis.com/192.33.1 782715 11262 793977 78 socks.tis.com/192.94 7923948 239618 8163566 36 fred.tis.com/192.94. 18093531 131111 18224642 12 hilo.tis.com/192.33. 852409 5576 857985 10 unknown/45.69.0.165 461495 13802 475297 9 happy.tis.com/192.33 2805 381 3186 8 otter.tis.com/192.33 449661 1461 451122 8 magellan.tis.com/199 76980 448 77428 6 odie.tis.com/199.171 409016 3332 412348 4 piobmor.tis.com/192. 200561 1430 201991 4 frodo.tis.com/199.17 503896 5903 509799 4 eleven.tis.com/192.3 2057 459 2516 Top 20 telnet gateway clients in terms of traffic Connects Host/Address Input Output Total -------- ------------ ----- ------ ----- 36 fred.tis.com/192.94. 18093531 131111 18224642 10 unknown/45.69.0.165 461495 13802 475297 84 sol.tis.com/192.33.1 782715 11262 793977 8 otter.tis.com/192.33 449661 1461 451122 4 piobmor.tis.com/192. 200561 1430 201991 2 unknown/20.2.1.193 34091 776 34867 2 kuki.tis.com/192.33. 29699 538 30237 4 eleven.tis.com/192.3 2057 459 2516 Network Service Connections ---------------------------------------------------------------- Top 20 network service users (total: 2038) Connects Host/Address -------- ------------ 946 kaos.tis.com/192.33.112.218 486 sol.tis.com/192.33.112.100 135 hilo.tis.com/192.33.112.120 106 gildor.tis.com/192.33.112.113 79 socks.tis.com/192.94.214.158 57 reddwarf.tis.com/192.33.112.12 36 fred.tis.com/192.94.214.201 30 magellan.tis.com/199.171.39.124 15 otter.tis.com/192.33.112.117 12 happy.tis.com/192.33.112.61 12 frodo.tis.com/199.171.39.94 10 unknown/45.69.0.165 6 ziggy.tis.com/192.33.112.161 6 polaris.tis.com/192.33.112.172 6 localhost.tis.com/127.0.0.1 4 relay.tis.com/192.94.214.100 Top 20 Denied network service users (total: 4) Connects Host/Address -------- ------------ 3 magellan.tis.com/199.171.39.124 1 sol.tis.com/192.33.112.100 Service Requests Requests Service -------- ------- 1048 in.fingerd 276 http-gw 194 in.telnetd 189 traceroute-gw 157 in.ftpd 151 in.rlogind 15 whois-gw 8 ping-gw 4 x-gw |