Security Basics mailing list archives
RE: Automated analysis of logs?
From: "Kinsey, Robert" <Robert.Kinsey () Veridian com>
Date: Mon, 14 Apr 2003 14:58:07 -0700
I agree, Jon, that using something to "clean up" the alert logs is a generally good thing (tm). I am more concerned with the tendency for folks to "de tune" based on certain criteria. For example, you may permit anonymous FTP logins from certain locations (other offices within the company) but what about the others? Trying to concoct a rule to grep out only those that are NOT from within the allowed ranges would be overwhelming. In some cases reading the raw logs would be beneficial - not in all cases however. A simple probe would be improved if you could just log (and then grep) the number of probing attempts from IP x and show what IPs or ports they tried to hit. In some ways the newer IDS tools do this well (again for raw analysis and correlation) but I have yet to see one that gave you the firehose WITH correlation very well. Regards, Robert Kinsey -----Original Message----- From: Jon Pastore To: Kinsey, Robert; security-basics () securityfocus com Sent: 4/13/03 6:06 AM Subject: Re: Automated analysis of logs? fair statement but if you reverse the process of your scripts to output unknown or exceptions this will speed up the under funded IT dept's efforts in log analysis...I don't have time to look @ logs all day...I'd rather eat pain killers they'd be more fun and I'd fall asleep just as fast =) my eyes start to glaze over after a few thousand lines =) I guess really it's all in the logic of your analysis tools and what you're trying to analyze. Most tools are designed for the intent of trending for proactive IT efforts. Security based scripts for analysis should be effective and think if properly coded would help in expediting an attack or misuse or exploit -Jon ------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. www.blackhat.com -------------------------------------------------------------------
Current thread:
- Automated analysis of logs? Mark G. Spencer (Apr 08)
- Re: Automated analysis of logs? K. K. Mookhey (Apr 09)
- Re: Automated analysis of logs? Tomasz Onyszko (Apr 10)
- <Possible follow-ups>
- RE: Automated analysis of logs? Moeckel, Sharon (Apr 09)
- Event correlation and log Analysis techniques? Dr. S. A. Vetha Manickam (Apr 10)
- Re: Automated analysis of logs? H Carvey (Apr 09)
- RE: Automated analysis of logs? Trevor Cushen (Apr 10)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 12)
- Re: Automated analysis of logs? Jon Pastore (Apr 14)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 15)