Making sense of the firewall log?
-
G'day all ;D
My PFS has been running extremely smooth for weeks now; I am again so happy to have gone this route; everything simply works. So once again thank you very much to the community :P
I do have a question: when I used the old, retail, firewall/routers in my home, there was always some sort of categorization of firewall log messages that I, a noob in this matters, could simply understand. I don't recall which old machine had it, but one clearly showed 'attack' or 'non-attack'. The current firewall logs (status/system logs/firewall) show information about blocked connections, but no more. Is there a way (preferably via the GUI, as I am a noob ;D) to see when I am attacked, or port scanned, and such?
Thank you in advance for your answer ;),
Bye,
-
There is no way for the packet filter to know what is an attack. The traffic is (basically) allowed or blocked depending on the rules. There are packages to do what you want, such as Snort, coming with loads of false positives, constant babysitting and huge resource consumption. Definitely suitable for "noob".
-
It's hard to say quite how soho routers determine what is an 'attack' rather than the odd stray packet. pfSense only logs blocked packets by default. Technically you could consider all unsolicited incoming traffic as an attack. Like Doktornotor said a tool like Snort would usually be used to detect traffic patterns that might indicate unwanted activity. You could export the logs to a syslog server and run a log analyser, say fwanalog or hatchet. I'm sure there are other more GUI friendly alternatives. It may be possible to run fwanalog on the pfSense box. :-\
Steve
-
Thank you both for your answer, I will digest it ;D