Firewall Log Analysis

Understanding & Analyzing Firewall Data for Security Monitoring

WRAP Module - Extends Firewall Builder

From Rule Building to Log Analysis

While the Firewall Builder teaches you to create defensive rules, as a SOC analyst you'll spend more time reading and interpreting firewall logs to detect threats.

Rule Building

Network Admin Task

  • Configure policies
  • Allow/Block traffic
  • Proactive defense

Log Analysis

SOC Analyst Task

  • Review blocked traffic
  • Identify attack patterns
  • Reactive detection

Prerequisite: Linux Firewall Builder

This module builds on firewall fundamentals. If you haven't learned to create rules yet, start with the Shield House module.

Open Firewall Builder

Firewall Log Formats

Firewalls log in different formats depending on the product. SOC analysts must be comfortable with all of them.

Jan  4 14:32:15 firewall kernel: DROP IN=eth0 OUT= MAC=00:0c:29:1a:2b:3c:00:50:56:c0:00:08:08:00
SRC=203.0.113.50 DST=192.168.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=54321 DF
PROTO=TCP SPT=45678 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  4 14:32:15 server kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:0c:29:1a:2b:3c
SRC=203.0.113.50 DST=192.168.1.10 LEN=60 TOS=0x00 PREC=0x00 TTL=45 ID=54321
DF PROTO=TCP SPT=45678 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
{
  "timestamp": "2024-01-04T14:32:15.000Z",
  "action": "DROP",
  "src_ip": "203.0.113.50",
  "dst_ip": "192.168.1.10",
  "protocol": "TCP",
  "src_port": 45678,
  "dst_port": 22,
  "interface": "eth0",
  "flags": ["SYN"],
  "rule_id": "INPUT_DROP_SSH"
}
CEF:0|Linux|iptables|1.0|DROP|SSH Connection Attempt|7|
src=203.0.113.50 spt=45678 dst=192.168.1.10 dpt=22
proto=TCP deviceInboundInterface=eth0 act=DROP

Key Log Fields for SOC Analysis

Field What to Look For Example
SRC Source IP - Who's attacking? External or internal? 203.0.113.50 (external)
DST Destination - What asset are they targeting? 192.168.1.10 (web server)
DPT Destination port - What service are they probing? 22 (SSH), 3389 (RDP), 445 (SMB)
PROTO Protocol - TCP scans vs UDP floods vs ICMP recon TCP, UDP, ICMP
Action DROP = silently blocked, REJECT = blocked with response DROP, ACCEPT, REJECT
Flags TCP flags reveal scan types (SYN scan, NULL scan, etc.) SYN, FIN, RST, ACK

Interactive Log Viewer

Practice analyzing firewall logs like a SOC analyst. Filter by action type to focus on specific events.

Log Analysis Workflow

1⃣

Aggregate

Collect logs from all firewalls into SIEM

2⃣

Normalize

Convert different formats to common schema

3⃣
Correlate

Match events across multiple sources

4⃣
Analyze

Identify patterns and anomalies

5⃣
Alert

Create rules for automated detection

Respond

Block IPs, tune rules, document findings

Essential Log Analysis Commands

# Count dropped packets by source IP
grep "DROP" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | sort -rn | head -20

# Find all SSH attempts (port 22)
grep "DPT=22" /var/log/kern.log | wc -l

# Find potential port scans (many ports from same IP)
grep "DROP" /var/log/ufw.log | awk '{print $12}' | sort | uniq -c | awk '$1 > 100'

# View real-time firewall logs
tail -f /var/log/ufw.log | grep --color "DROP\|BLOCK"

# Extract unique destination ports being probed
grep "DROP" /var/log/ufw.log | grep -oP 'DPT=\K\d+' | sort -n | uniq -c | sort -rn

Common Attack Patterns in Firewall Logs

Learn to recognize these patterns when reviewing firewall data.

Port Scan

Single source IP hitting many different ports in short time frame.

SRC=203.0.113.50 → DPT=21,22,23,25,53,80,443...

Detection: 10+ ports from same IP in 60 seconds

Medium

SSH Brute Force

Repeated connection attempts to port 22 from same source.

SRC=198.51.100.25 DPT=22 (100+ times)

Detection: 20+ SSH attempts in 5 minutes

High

SYN Flood

Massive SYN packets without completing handshake (DoS).

PROTO=TCP SYN (1000s/sec, no ACK)

Detection: High SYN rate with few ESTABLISHED

High

Targeted Service Probe

Multiple IPs all hitting the same sensitive port.

*.*.*.* → DPT=3389 (RDP) from 50+ IPs

Detection: Many sources, one destination port

Medium

Reverse Shell Attempt

Outbound connection to unusual ports (4444, 5555).

DST=attacker.com DPT=4444 PROTO=TCP

Detection: Internal → External on non-standard ports

High

ICMP Reconnaissance

Ping sweep across subnet to discover live hosts.

PROTO=ICMP → 192.168.1.1-254

Detection: Sequential ICMP to IP range

Low

SOC Response Actions

Pattern Detected Immediate Response Long-term Action
Port Scan Log for intelligence, monitor for follow-up Add to threat intel, consider geo-blocking
Brute Force Temporary IP block (fail2ban) Implement rate limiting, require MFA
SYN Flood Enable SYN cookies, contact upstream DDoS mitigation service, capacity planning
Targeted Probe Verify service not exposed, alert admin Review firewall rules, minimize exposure
Reverse Shell ISOLATE host immediately, preserve evidence Full IR process, endpoint remediation

Firewall Log Analysis Assessment

Test your ability to interpret firewall data like a SOC analyst.

Assessment Complete!

0/5