Home > SOC Analysis

Firewall Logs

Firewall logs are one of the highest-value network telemetry sources in SOC operations. They reveal every inbound and outbound connection attempt, blocked traffic, allowed traffic, port scans, intrusion attempts, application-layer attacks, and internal lateral movement.
While endpoint logs show what ran on a machine, firewall logs show how the attacker communicated, moved laterally, scanned the environment, or exfiltrated data.

This chapter explains firewall logs with full-scale, ultra-practical SOC depth, including raw log samples, field interpretation, protocol behavior, detection patterns, SIEM queries, and complete attack timelines.

What Firewall Logs Contain

A firewall logs:

  • Source IP

  • Destination IP

  • Source port

  • Destination port

  • Protocol (TCP/UDP/ICMP)

  • Action (ALLOW / ACCEPT / DROP / DENY / REJECT)

  • NAT mappings

  • Zone information (internal/external)

  • Bytes transferred

  • Reason for block

  • Firewall policy name

  • Threat signatures (if NGFW)

Firewalls act as the first line of visibility against external attackers.

Where Firewall Logs Come From

Different firewalls structure logs differently, but SOC receives logs from:

  • iptables / nftables (Linux firewalls)

  • UFW (Ubuntu firewall)

  • firewalld

  • Palo Alto Networks firewall

  • FortiGate

  • Cisco ASA / FTD

  • Sophos

  • Check Point

  • Cloud firewalls (AWS, Azure, GCP)

All standardized into SIEM through normalization.

Raw Firewall Log Samples (SOC-Level)

Below are real attack logs exactly how SOC analysts see them.

1. Blocked External SSH Brute Force

Jan 10 02:11:33 firewall kernel: DROP IN=eth0 OUT= MAC=... SRC=185.22.11.44 DST=10.0.0.5 LEN=60 PROTO=TCP SPT=55412 DPT=22 SYN

Interpretation:

  • External IP attacking SSH (port 22)

  • DROP action → firewall blocked it

  • SYN only → scanning or brute force

2. Allowed SSH Connection (Potential Compromise)

Jan 10 02:15:09 firewall ACCEPT IN=eth0 SRC=185.22.11.44 DST=10.0.0.5 PROTO=TCP SPT=55418 DPT=22

Interpretation:

  • Attacker successfully reached the SSH service

  • Combine with auth.log → confirm compromise

3. Port Scan (nmap) Detection

Jan 10 02:20:12 firewall DROP IN=eth0 SRC=185.33.10.25 DST=10.0.0.5 PROTO=TCP DPT=80 SYN
Jan 10 02:20:12 firewall DROP IN=eth0 SRC=185.33.10.25 DST=10.0.0.5 PROTO=TCP DPT=443 SYN
Jan 10 02:20:12 firewall DROP IN=eth0 SRC=185.33.10.25 DST=10.0.0.5 PROTO=TCP DPT=21 SYN

Interpretation:

  • Rapid attempts to multiple ports → port scanning

  • Likely attacker reconnaissance

4. Outbound C2 Communication

Jan 10 02:30:44 firewall ACCEPT OUT=eth0 SRC=10.0.0.5 DST=91.22.113.10 PROTO=TCP DPT=443

Interpretation:

  • Malware calling out to C2

  • Destination unknown/untrusted IP

  • Outbound allowed → potential data exfiltration

5. Large Data Transfer Outbound

Jan 10 02:35:12 firewall ACCEPT OUT=eth0 SRC=10.0.0.5 DST=91.22.113.10 LEN=2452134 PROTO=TCP

Interpretation:

  • Large payload leaving internal network

  • Possible exfiltration

6. Malware Calling Malicious Domain

Jan 10 02:41:09 firewall ACCEPT OUT=eth0 SRC=10.0.0.5 DST=evil-malware.ru

Interpretation:

  • Domain with known malicious reputation

  • Indicates infection

7. Lateral Movement Inside Network

Jan 10 02:50:22 firewall FORWARD IN=eth1 OUT=eth2 SRC=10.0.0.5 DST=10.0.0.20 PROTO=445

Interpretation:

  • SMB traffic inside LAN

  • If unexpected, attacker moving laterally

Firewall Log Fields and Interpretation

When analyzing firewall logs, SOC analysts look at:

1. Source IP

Internal or external?
Is it authorized?

2. Destination IP

Critical asset? Database? Domain controller?

3. Ports

  • 22 → SSH

  • 3389 → RDP

  • 445 → SMB (lateral movement)

  • 80/443 → Web

  • 53 → DNS

  • Random high ports → malware callback

4. Action

  • ALLOW → traffic passed

  • DROP/DENY → blocked

  • REJECT → blocked with reset

5. Bytes transferred

Big numbers → data exfiltration.

6. Frequency

Rapid attempts → scanning or brute force.

7. NAT translations

Useful for cloud + reverse proxy investigations.

Attack Behavior Visible in Firewall Logs

Firewall logs reveal numerous attacker techniques.

1. External Reconnaissance (Scanning)

Rapid attempts to many ports:

DPT=21, 22, 80, 443, 3306

2. Brute Force Attempts

Repeated inbound SSH/RDP attempts:

SRC=185.* DPT=22
SRC=185.* DPT=3389

3. Successful Reachability of Internal Services

ACCEPT SRC=185.* DPT=22

Firewall allowed → attacker now hitting the service.

4. Malware C2 (Command and Control)

Outbound traffic to suspicious IP:

DST=91.22.113.10 DPT=443

If host never contacted that IP → suspicious.

5. Lateral Movement

Internal traffic:

SRC=10.0.0.22 DST=10.0.0.10 DPT=445

445/139 = SMB
5985/5986 = WinRM
22 = SSH pivoting

6. Data Exfiltration

Large outbound:

LEN>2,000,000

Destination not in whitelist → critical incident.

7. Command Execution via Reverse Shell

Firewall catches:

OUTBOUND to attacker IP on high port

Example:

SRC=10.0.0.5 DST=185.22.44.11 DPT=4444

8. Web Application Attacks (NGFW Only)

If using Palo Alto / FortiGate:

THREAT:websqlinjection
THREAT:high

Shows web exploitation attempts.

SIEM Queries (Practical)

Detect SSH brute force

DPT=22 AND action:DROP AND src_ip:<same_ip>

Detect port scanning

action:DROP AND count(distinct DPT) > 10 within 1 minute

Detect C2 traffic

action:ACCEPT AND dst_ip NOT IN internal_range AND dst_ip IN threat_intel

Detect data exfiltration

LEN > 1000000 AND action:ACCEPT AND dst NOT IN whitelisted

Detect lateral movement

src_ip:10.* AND dst_ip:10.* AND DPT:(445 OR 22 OR 3389)

Complete Attack Timeline Using Firewall Logs

Step 1 — Attacker Scans the Server

DROP SRC=185.22.10.11 DPT=22,80,443,3306

Step 2 — Finds SSH Open

ACCEPT SRC=185.22.10.11 DPT=22

Step 3 — Brute Force Begins

(auth.log shows failures)

Step 4 — Compromise Confirmed

Firewall:

ACCEPT SRC=185.22.10.11 DPT=22

auth.log:

Accepted password for root

Step 5 — Malware Download

Firewall:

OUTBOUND DST=91.22.113.10 DPT=80

Step 6 — C2 Communication

OUTBOUND to DST 91.22.113.10:443 every 30 seconds

Step 7 — Lateral Movement

INTERNAL SMB: 10.0.0.5 → 10.0.0.22

Step 8 — Data Exfiltration

OUTBOUND LEN=4,500,000 to suspicious IP

Firewall logs expose the entire kill chain.

Analyst Workflow With Firewall Logs

  1. Identify suspicious external IPs

  2. Check inbound blocked/allowed patterns

  3. Confirm open services

  4. Check for scanning behavior

  5. Check successful connections

  6. Correlate with OS logs (SSH, RDP, processes)

  7. Examine outbound traffic for C2 or exfiltration

  8. Evaluate internal connections for lateral movement

  9. Build a timeline

  10. Escalate if malicious

Firewall logs are essential for network-level threat intelligence and detection.

Intel Dump

  • Firewall logs capture traffic metadata: IPs, ports, protocols, actions, and bytes.

  • Reveal brute force, scanning, C2 traffic, lateral movement, malware downloads, and exfiltration.

  • Raw logs include fields like SRC, DST, DPT, SPT, PROTO, LEN, and ACTION.

  • SIEM queries detect repeated failures, unknown outbound connections, high-volume transfers, and internal pivoting.

  • Firewall logs uncover complete attack flows from initial recon to lateral movement and exfiltration.

HOME LEARN COMMUNITY DASHBOARD