Firewall Wizards mailing list archives
RE: Log checking?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Fri, 01 Oct 2004 11:11:41 -0400
Paul D. Robertson wrote:
There's a good case to be made for logging *everything*- but there are mitigating concerns (it's all discoverable, there's a lot of it, you need to be able to deal with the analysis...)
Ranum's first law of Log Analysis: - Never keep more than you can conceive of possibly looking at Ranum's second law of Log Analysis: - The number of times an uninteresting thing happens is an interesting thing Ranum's third law of Log Analysis: - Keep everything you possibly can except for where you come into conflict with the First Law [#insert plug for my log analysis tutorial at USENIX and SANS see http://www.loganalysis.org/news/tutorials for details]
While I generally recommend folks log as much as possible, with specific sunsets on retention, if you have 5,000 script kiddie attacks a day, you tend to evaluate where and what logging is important in a different light.
The number of times an uninteresting thing happens is an interesting thing. The number 5,000 in your example above is an interesting number and you wouldn't have it available to you if you hadn't counted it. It might, for example, be interesting if it went to 10,000. It might be even MORE interesting if it went to 0. ;)
Now, if you're not sued often, the idea of discoverable information may not be all that much of an issue- but if you've dealt with fulfilling discovery motions, you'll not want to have to excerpt terabytes of logs for every fishing expedition a lawyer might mount.
1) Judges are getting a log better about not allowing massive fishing expeditions 2) Who cares if someone wants to discover what you rightly describe as "script kiddie" activity? Give 'em a terabyte and let them have fun with it! The problem is that you're not analyzing the problem methodically. If you care about that kind of stuff, just keep internal logs differently from external, etc. You might just keep counts of one type of data, versus actual data in another case - and you need to make these decisions rationally based on your site's security needs, bandwidth usage, event load, and legal concerns - not just because someone on Firewall-Wizards said to or not to. ;)
Only you can make a determination for your organization if say logging automated probes where there are no accessible systems is "worth it."
Right! mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)