Advertisement
joemccray

Palo Alto Log Analysis

Sep 5th, 2018
600
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.95 KB | None | 0 0
  1. ##########################
  2. # Palo Alto Log Analysis #
  3. ##########################
  4. References:
  5. https://stateofsecurity.com/?p=4016
  6.  
  7.  
  8. #######################
  9. # Core Linux Commands #
  10. #######################
  11. cat
  12. grep
  13. Including, the ever useful grep -v (inverse grep, show me the lines that don't match my pattern)
  14. awk
  15. particularly: awk 'BEGIN { FS = ","} ; {print $x, $y}' which prints specific columns in CSV files
  16. sort
  17. sort -n (numeric sort)
  18. sort -r (reverse sort, descending)
  19. uniq
  20. uniq -c (count the numbers of duplicates, used for determining "hit rates" or frequency, etc.)
  21.  
  22.  
  23.  
  24. First, for my project, I made use of the following field #’s in the text analysis, pulled from the log header for sequence:
  25. $8 (source IP)
  26. $9 (dest IP)
  27. $26 (dest port)
  28. $15 (AppID)
  29. $32 (bytes)
  30.  
  31.  
  32.  
  33. OK, so I will get you started, here are a few of the more useful command lines I used for my quick and dirty analysis:
  34. cat log.csv | awk 'BEGIN { FS = ","} ; {print $8,$9,$26}' | sort | uniq -c | sort -n -r > hitrate_by_rate.txt
  35.  
  36. this one produces a list of Source IP/Dest IP/Dest Port unique combinations, sorted in descending order by the number of times they appear in the log
  37. cat log.csv | awk 'BEGIN { FS = ","} ; {print $8,$9}' | sort -n | uniq -c | sort -n -r > uniqpairs_by_hitrate.txt
  38.  
  39. this one produces a list of the uniq Source & Destination IP addresses, in descending order by how many times they talk to each other in the log (note that their reversed pairings will be separate, if they are present – that is if A talks to B, there will be an entry for that, but if B initiates conversations with A, that will be a separate line in this data set)
  40. cat log.csv | awk 'BEGIN { FS = ","} ; {print $15}' | sort | uniq -c | sort -n -r > appID_by_hitrate.txt
  41.  
  42. this one uses the same exact techniques, but now we are looking at what applications have been identified by the firewall, in descending order by number of times that application identifier appears in the log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement