Security Basics mailing list archives

RE: Automated analysis of logs?

From: "Kinsey, Robert" <Robert.Kinsey () Veridian com>
Date: Mon, 14 Apr 2003 14:58:07 -0700

I agree, Jon, that using something to "clean up" the alert logs is a
generally good thing (tm).  I am more concerned with the tendency for folks
to "de tune" based on certain criteria.

For example, you may permit anonymous FTP logins from certain locations
(other offices within the company) but what about the others?  Trying to
concoct a rule to grep out only those that are NOT from within the allowed
ranges would be overwhelming.  In some cases reading the raw logs would be
beneficial - not in all cases however.  A simple probe would be improved if
you could just log (and then grep) the number of probing attempts from IP x
and show what IPs or ports they tried to hit.

In some ways the newer IDS tools do this well (again for raw analysis and
correlation) but I have yet to see one that gave you the firehose WITH
correlation very well.

Regards,
Robert Kinsey 

-----Original Message-----
From: Jon Pastore
To: Kinsey, Robert; security-basics () securityfocus com
Sent: 4/13/03 6:06 AM
Subject: Re: Automated analysis of logs?

fair statement but if you reverse the process of your scripts to output
unknown or exceptions this will speed up the under funded IT dept's
efforts in log analysis...I don't have time to look @ logs all day...I'd
rather eat pain killers they'd be more fun and I'd fall asleep just as fast
=) my eyes start to glaze over after a few thousand lines =)

I guess really it's all in the logic of your analysis tools and what
you're trying to analyze.  Most tools are designed for the intent of
trending for proactive IT efforts.  Security based scripts for analysis
should be effective and think if properly coded would help in expediting an
attack or misuse or exploit

-Jon

-------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  www.blackhat.com
-------------------------------------------------------------------

Current thread:

Automated analysis of logs? Mark G. Spencer (Apr 08)
- Re: Automated analysis of logs? K. K. Mookhey (Apr 09)
- Re: Automated analysis of logs? Tomasz Onyszko (Apr 10)
- <Possible follow-ups>
- RE: Automated analysis of logs? Moeckel, Sharon (Apr 09)
  - Event correlation and log Analysis techniques? Dr. S. A. Vetha Manickam (Apr 10)
- Re: Automated analysis of logs? H Carvey (Apr 09)
- RE: Automated analysis of logs? Trevor Cushen (Apr 10)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 12)
  - Re: Automated analysis of logs? Jon Pastore (Apr 14)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 15)