On 11 Oct 2001 15:55:47 -0500 Hal Snyder <halat_private> wrote: > BTW, we're still working on the best way to handle firewall logs. Two > things make them challenging - the sheer volume of data, and the fact > that interesting new problems usually show up not as a new type of > message, but as a change in the distribution of messages. > This is also true for NIDS (which currently have a very high false +ve rate). I find snortsnarf useful. It produces an hourly summary in the form of a table with event types and counts. I know what is 'normal' and so I don't investigate most alerts, however every now and again we get something unusual which I do follow up. There are some alerts that are generally reliable and are always followed up. There is no substitute for having an intelligent human eye-balling the stuff. That person will be much more effective if the information is carefully summarised. As far as snortsnarf goes I would like to see three reports for each time period, one by event type, one by source address and one by destination address. Currently it just summarises by even type. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 17:05:17 PDT