Firewall Wizards mailing list archives

RE: Log checking?

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 01 Oct 2004 11:11:41 -0400

Paul D. Robertson wrote:

There's a good case to be made for logging *everything*- but there are
mitigating concerns (it's all discoverable, there's a lot of it, you need
to be able to deal with the analysis...)


Ranum's first law of Log Analysis:
        - Never keep more than you can conceive of possibly looking at
Ranum's second law of Log Analysis:
        - The number of times an uninteresting thing happens is an interesting
                thing
Ranum's third law of Log Analysis:
        - Keep everything you possibly can except for where you come
                into conflict with the First Law

[#insert plug for my log analysis tutorial at USENIX and SANS
see http://www.loganalysis.org/news/tutorials for details]

While I generally recommend folks log as much as possible, with specific
sunsets on retention, if you have 5,000 script kiddie attacks a day, you
tend to evaluate where and what logging is important in a different light.


The number of times an uninteresting thing happens is an interesting
thing. The number 5,000 in your example above is an interesting
number and you wouldn't have it available to you if you hadn't
counted it. It might, for example, be interesting if it went to 10,000.
It might be even MORE interesting if it went to 0. ;)

Now, if you're not sued often, the idea of discoverable information may
not be all that much of an issue- but if you've dealt with fulfilling
discovery motions, you'll not want to have to excerpt terabytes of logs
for every fishing expedition a lawyer might mount.


1) Judges are getting a log better about not allowing massive
        fishing expeditions
2) Who cares if someone wants to discover what you rightly
        describe as "script kiddie" activity? Give 'em a terabyte
        and let them have fun with it!

The problem is that you're not analyzing the problem methodically.
If you care about that kind of stuff, just keep internal logs differently
from external, etc. You might just keep counts of one type of
data, versus actual data in another case - and you need to make
these decisions rationally based on your site's security
needs, bandwidth usage, event load, and legal concerns - not
just because someone on Firewall-Wizards said to or not to. ;)

Only you can make a determination for your organization if say logging
automated probes where there are no accessible systems is "worth it."


Right!

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
  - RE: Log checking? Paul D. Robertson (Oct 01)
    - RE: Log checking? Marcus J. Ranum (Oct 01)
    - RE: Log checking? Paul D. Robertson (Oct 01)
    - Re: Log checking? Devdas Bhagat (Oct 02)
  - Re: Log checking? Kevin (Oct 01)
  - Message not available
    - RE: Log checking? hermit921 (Oct 01)
- Re: Log checking? Stephen P. Berry (Oct 02)
- RE: Log checking? Mark Teicher (Oct 02)
- Re: Log checking? Bennett Todd (Oct 06)