Firewall Wizards mailing list archives
Re: Log checking?
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Sat, 2 Oct 2004 02:36:44 +0530
On 01/10/04 11:11 -0400, Marcus J. Ranum wrote:
Paul D. Robertson wrote:There's a good case to be made for logging *everything*- but there are mitigating concerns (it's all discoverable, there's a lot of it, you need to be able to deal with the analysis...)
Devdas' Zeroth law: - Log!
Ranum's first law of Log Analysis: - Never keep more than you can conceive of possibly looking at
Is that with or without Perl?
Ranum's second law of Log Analysis: - The number of times an uninteresting thing happens is an interesting thing Ranum's third law of Log Analysis: - Keep everything you possibly can except for where you come into conflict with the First Law [#insert plug for my log analysis tutorial at USENIX and SANS see http://www.loganalysis.org/news/tutorials for details]While I generally recommend folks log as much as possible, with specific sunsets on retention, if you have 5,000 script kiddie attacks a day, you tend to evaluate where and what logging is important in a different light.The number of times an uninteresting thing happens is an interesting thing. The number 5,000 in your example above is an interesting number and you wouldn't have it available to you if you hadn't counted it. It might, for example, be interesting if it went to 10,000. It might be even MORE interesting if it went to 0. ;)Now, if you're not sued often, the idea of discoverable information may not be all that much of an issue- but if you've dealt with fulfilling discovery motions, you'll not want to have to excerpt terabytes of logs for every fishing expedition a lawyer might mount.1) Judges are getting a log better about not allowing massive fishing expeditions 2) Who cares if someone wants to discover what you rightly describe as "script kiddie" activity? Give 'em a terabyte and let them have fun with it! The problem is that you're not analyzing the problem methodically. If you care about that kind of stuff, just keep internal logs differently from external, etc. You might just keep counts of one type of data, versus actual data in another case - and you need to make these decisions rationally based on your site's security needs, bandwidth usage, event load, and legal concerns - not just because someone on Firewall-Wizards said to or not to. ;)
And depending on the resources you want to throw at the problem. While all the data mining might be interesting, any business will want to evaluate first if that mining is worth the resources it consumes. It need not be only storing counts of data, the question is one of counting the events in the first place. In some cases, I might not even be interested in looking at events except when they deviate from a mean by a certain number. Determining the mean could be fairly easy, and I wouldn't bother to log things for that. Deviations would be logged, but not the base itself. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)