Firewall Wizards mailing list archives

Re: Firewall Log Analysis - Computer vs. Human

From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Thu, 7 Jul 2005 01:31:24 +0530

On 05/07/05 12:23 -0400, Adrian Grigorof wrote:

Hi all,

We are trying to develop a log analyzer that would "replicate" a human's
approach to log analysis - by that I mean the fact that a human can
correlate information in the log with other factors (like - "hmm, the log


Hmmm, Marcus had a thread on the loganalysis[1] list, asking what
information could be gleaned from the logs. That thread would be a good
starting point for a correlation engine of this type.

In general, if it gets logged, it can be correlated to some extent. The
problem most often is that there is no logging infrastructure for such
correlation.

says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
UPS failure yesterday around noon). For this particular example, the log
analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
power failure, power disconnection or manual restart" - a bit vague I agree
but it is better than nothing  - and in fact, this is what the firewall
admin would go through, right? Thinking, "Why would there be a restart? I


And there could be any other reason, which would be extremely
misleading. IMHO, it is better not to attempt to correlate with vague
information which leads the administrator down the wrong track.

Humans are good at ignoring things that cry wolf too often.

did not restart it.. anything happened at noon? The UPS failure!". Or for


What happens if the failure was due to something else, like someone
tripping over the power cable, or just a system failure and none of your
possibilities were correct?

If you log more data and then filter, then you can do useful correlations.

"Show me all events that happened in this time range relating to the
firewall", with a predefined dependency for the firewall on the UPS.
The complex problem is getting the human being to define the dependency
of the firewall on the UPS in the first place.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Opinion: Worst interface ever., (continued)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
  - Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
    - Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
    - Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
    - Re: Opinion: Worst interface ever. Dave Piscitello (Jul 18)
    - Re: Opinion: Worst interface ever. sin (Jul 21)
- RE: Opinion: Worst interface ever. Eugene Kuznetsov (Jul 05)
  - RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
    - Firewall Log Analysis - Computer vs. Human Adrian Grigorof (Jul 06)
    - Re: Firewall Log Analysis - Computer vs. Human Kevin (Jul 06)
    - Re: Firewall Log Analysis - Computer vs. Human Devdas Bhagat (Jul 06)
    - RE: Firewall Log Analysis - Computer vs. Human Paul Melson (Jul 19)
    - RE: Opinion: Worst interface ever. Mark Teicher (Jul 06)
    - RE: Opinion: Worst interface ever. Eugene Kuznetsov (Jul 06)
    - RE: Opinion: Worst interface ever. Eugene Kuznetsov (Jul 07)
  - RE: Opinion: Worst interface ever. Mark Teicher (Jul 06)
    - RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
    - Re: Opinion: Worst interface ever. Ian Rae (Jul 06)
- Re: RE: Opinion: Worst interface ever. vbwilliams (Jul 06)