Thread Info
  • State Not Answered
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 30 subscribers
  • Views 1485 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log system generated traffic

NateP

Related to this SQL Injection attack that was found last week.  I searched my Graylog server and only see incoming connections from the Additional Attack Host going to NAT servers and not my User Portal.  I have the IPs they accessed NATed (80/443) to other web servers so I don't think the User Portal would have been accessible on those IP.

I don't see any outgoing traffic from the scripts being downloaded, so I think this is a false positive for me.

To test this, I SSH to the firewall and ping stuff, run 'nc hostname <port>' to create some test connections from the shell.  None of these activities are shown in logs.  I created a new MASQ rule that is sourced from ANY zone, Any source, to the WAN and still don't see this activity logged.  This is concerning to me, if another attack like this happened how do we have a "trail" so we can see what happened?  Logging in this OS is horrible, I can't understand how it could be for a firewall appliance.

 

TL;DR:  How do we log system generated traffic?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    Hi  

    I am looking for network traffic that sourced from the firewall itself.  Such as a script running from shell, or in the advanced console running ping, etc.  I never see this in my external Syslog server (which I am sending all events).  it would be nice to be able to track this so that we could see if the device was talking to known C2 servers, etc.  What am I missing?  Is this not possible?

     

    Thanks

  • 0 in reply to NateP

    Hi NateP - I'm also trying to find this sort of data in logs, and I can't find it either.  I used WGET to download some random pictures from a website, and I can't find this logged anywhere.  We also have netflow sending out to 2 different analyzers and neither of them show what I did from the console. 

    My conclusion is that if you want to get some sort of idea about what the firewall itself is up to, you would have to monitor it externally, on the WAN side.  Obviously, this is not the ideal solution.