Dailydave mailing list archives
Re: News, dumbug, prediction rebuttals.
From: Anton Chuvakin <anton () chuvakin org>
Date: Fri, 23 Dec 2005 17:24:37 -0500
Thomas and all,
thought of doing correlation of events with events as first class objects in a functional language with an object/relational mapping layer and a domain-specific query language --- well, I almost want to get started right now.
That's pretty hot indeed! We can get started right now :-) But who will write all the code to parse those stinky multiline free form logs..?
The final point I want to make here: OSS has made a profound dent in network management. But it didn't do it by cloning OpenView and Netcool; it provided small tools, like BB and MRTG, that in the aggregate proved substitutable for huge element management packages.
Good point! However, part of SIM's mission is in unifying disparate tools and views into a single view. Having a score of small tools that do a good job is largely what SIM is replacing! Many companies wrote their own log analysis scripts with Perl, awk, grep, etc, but then realized [I am getting dangerously marketingish here :-)] that is doesn't really work for the long term. And so SIM was born. Basically, you are suggesting to go back to the ugly past...
The same thing will happen in OSS. You're starting to see it in Sguil, which will only get better.
IMHO, Sguil follows a wrong model, since it requires a smart analyst in front of the console, something that most companies likely won't afford. But this is a discussion for another time and another place (although I do want to have it at some point! :-) Maybe Mr Bejtlich would like to argue this here or elsewhere)
The nice thing about this is that a small, useful, standalone tool will almost always be more functional and more reliable than a merit badge feature equivalent in a commercial product.
Not if "tieing stuff together" (correlating it, you know) is part of the value you provide. Why would you want to send the security analyst back to watching 10 "small, useful, standalone tools" vs watching a single view provided by SIM?
Any one of these is a summer project. All 4 of them together would meet 99% of the needs of 80% of the market. And that's why I think credible OSS SIM is inevitable.
He-he, this is why OSS SIM won't show up soon! :-) If you, me or somebody else codes this, it be cool and will likely work well in a small environment. Scaling up will likely require going *back* to commercial... As I recall, Snort became gigabit-(and thus, 'enterprise-') ready after the birth of Sourcefire. OSSIM and Aanval (www.aanval.com) are nice and have some cool things that I like, but won't work for managing logs from 50,000 (or even 5000) devices or even from a few high-bandwidth firewalls... Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com
Current thread:
- News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 21)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 22)
- Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
- Re: News, dumbug, prediction rebuttals. Blue Boar (Dec 22)
- Re: News, dumbug, prediction rebuttals. Adam Shostack (Dec 22)
- Re: News, dumbug, prediction rebuttals. plonky (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. plonky (Dec 23)
- <Possible follow-ups>
- Re: News, dumbug, prediction rebuttals. sgc (Dec 22)
- RE: News, dumbug, prediction rebuttals. Marc Maiffret (Dec 27)