Re: News, dumbug, prediction rebuttals.

[Anton Chuvakin <anton () chuvakin org>]

Thomas and all,

> thought of doing correlation of events with events as first class
> objects in a functional language with an object/relational mapping
> layer and a domain-specific query language --- well, I almost want to
> get started right now.
That's pretty hot indeed! We can get started right now :-) But who
will write all the code to parse those stinky multiline free form
logs..?

> The final point I want to make here: OSS has made a profound dent in
> network management. But it didn't do it by cloning OpenView and
> Netcool; it provided small tools, like BB and MRTG, that in the
> aggregate proved substitutable for huge element management packages.

Good point! However, part of SIM's mission is in unifying disparate
tools and views into a single view. Having a score of small tools that
do a good job is largely what SIM is replacing! Many companies wrote
their own log analysis scripts with Perl, awk, grep, etc, but then
realized [I am getting dangerously marketingish here :-)] that is
doesn't really work for the long term. And so SIM was born. Basically,
you are suggesting to go back to the ugly past...

> The same thing will happen in OSS. You're starting to see it in
> Sguil, which will only get better.
IMHO,  Sguil follows a wrong model, since it requires a smart analyst
in front of the console, something that most companies likely won't
afford. But this is a discussion for another time and another place
(although I do want to have it at some point! :-) Maybe Mr Bejtlich
would like to argue this here or elsewhere)

> The nice thing about this is that a small, useful, standalone tool
> will almost always be more functional and more reliable than a merit
> badge feature equivalent in a commercial product.
Not if "tieing stuff together" (correlating it, you know) is part of
the value you provide. Why would you want to send the security analyst
back to watching 10 "small, useful, standalone tools" vs watching a
single view provided by SIM?

> Any one of these is a summer project. All 4 of them together would
> meet 99% of the needs of 80% of the market. And that's why I think
> credible OSS SIM is inevitable.
He-he, this is why OSS SIM won't show up soon! :-) If you, me or
somebody else codes this,  it be cool and will likely work well in a
small environment. Scaling up will likely require going *back* to
commercial... As I recall, Snort became gigabit-(and thus,
'enterprise-') ready after the birth of Sourcefire.

OSSIM and Aanval (www.aanval.com) are nice and have some cool things
that I like, but won't work for managing logs from 50,000 (or even
5000) devices or even from a few high-bandwidth firewalls...

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
http://www.securitywarrior.com