Firewall Wizards mailing list archives
RE: parsing logs ultra-fast inline
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Tue, 7 Feb 2006 13:27:43 -0800
Anton Chuvakin wrote:
While I am preparing to enter this discussion in full force :-), I figured I'd shoot a quick one on this:meaning. Take Tina's VPN example - how many types of log entries you would expect from a VPN concentrator? From my experience, not more than 20 but let's assume there are 50. Give a sample from each entry to a PerlHe-he, no :-) I just looked at the old documentation bundle of Cisco VPN 3000 messages and its nowhere near the above. How about 2049 unique messages documented by Cisco?
But don't miss my point! I don't have to parse all those 2k or more messages, because I'm only after *one* thing: all I want to know (at least starting out) is the source of an inbound remote access connection, because my pick for lowest-hanging-fruit with regard to remote access abuse is remote access coming from "unusual" locations. In fact, the discussion is trying really hard to support the exact opposite of what I was saying :-) If you start out trying to parse *everything*, you're at best going to work really really hard for a long time. If you pick one or two conditions that you or your local expert *know* are significant, you get something up and running really quickly. That impresses management :-) cheers - tbird _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: parsing logs ultra-fast inline, (continued)
- Re: parsing logs ultra-fast inline Adrian Grigorof (Feb 03)
- Re: parsing logs ultra-fast inline Chuck Swiger (Feb 07)
- Re: parsing logs ultra-fast inline Marcus J. Ranum (Feb 07)
- Re: parsing logs ultra-fast inline Brian Loe (Feb 08)
- Message not available
- Re: parsing logs ultra-fast inline Marcus J. Ranum (Feb 08)
- Re: parsing logs ultra-fast inline John Adams (Feb 09)
- Re: parsing logs ultra-fast inline Adrian Grigorof (Feb 03)
- RE: parsing logs ultra-fast inline Paul Melson (Feb 15)
- Re: parsing logs ultra-fast inline Anton Chuvakin (Feb 07)
- Re: parsing logs ultra-fast inline Adrian Grigorof (Feb 07)
- Re: parsing logs ultra-fast inline Patrick M. Hausen (Feb 07)
- RE: parsing logs ultra-fast inline Tina Bird (Feb 07)