Re: Log checking?

[Devdas Bhagat <devdas () dvb homelinux org>]

On 01/10/04 11:11 -0400, Marcus J. Ranum wrote:
> Paul D. Robertson wrote:
> > There's a good case to be made for logging *everything*- but there are
> > mitigating concerns (it's all discoverable, there's a lot of it, you need
> > to be able to deal with the analysis...)
Devdas' Zeroth law:
        - Log!

> Ranum's first law of Log Analysis:
>         - Never keep more than you can conceive of possibly looking at

Is that with or without Perl?

> Ranum's second law of Log Analysis:
>         - The number of times an uninteresting thing happens is an interesting
>                 thing
> Ranum's third law of Log Analysis:
>         - Keep everything you possibly can except for where you come
>                 into conflict with the First Law
>
> [#insert plug for my log analysis tutorial at USENIX and SANS
> see http://www.loganalysis.org/news/tutorials for details]
>
> > While I generally recommend folks log as much as possible, with specific
> > sunsets on retention, if you have 5,000 script kiddie attacks a day, you
> > tend to evaluate where and what logging is important in a different light.
>
> The number of times an uninteresting thing happens is an interesting
> thing. The number 5,000 in your example above is an interesting
> number and you wouldn't have it available to you if you hadn't
> counted it. It might, for example, be interesting if it went to 10,000.
> It might be even MORE interesting if it went to 0. ;)
>
> > Now, if you're not sued often, the idea of discoverable information may
> > not be all that much of an issue- but if you've dealt with fulfilling
> > discovery motions, you'll not want to have to excerpt terabytes of logs
> > for every fishing expedition a lawyer might mount.
>
> 1) Judges are getting a log better about not allowing massive
>         fishing expeditions
> 2) Who cares if someone wants to discover what you rightly
>         describe as "script kiddie" activity? Give 'em a terabyte
>         and let them have fun with it!
>
> The problem is that you're not analyzing the problem methodically.
> If you care about that kind of stuff, just keep internal logs differently
> from external, etc. You might just keep counts of one type of
> data, versus actual data in another case - and you need to make
> these decisions rationally based on your site's security
> needs, bandwidth usage, event load, and legal concerns - not
> just because someone on Firewall-Wizards said to or not to. ;)

And depending on the resources you want to throw at the problem.
While all the data mining might be interesting, any business will want
to evaluate first if that mining is worth the resources it consumes.

It need not be only storing counts of data, the question is one of
counting the events in the first place. In some cases, I might not even
be interested in looking at events except when they deviate from a mean
by a certain number. Determining the mean could be fairly easy, and I 
wouldn't bother to log things for that. Deviations would be logged, but
not the base itself.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards