Re: [logs] Best Practices for Application Logging

From: Russell Fulton (r.fultonat_private)
Date: Tue Oct 16 2001 - 15:27:55 PDT

  • Next message: Richard Welty: "Re[2]: [logs] log review policies"

    On 11 Oct 2001 15:55:47 -0500 Hal Snyder <halat_private> wrote:
    
    > BTW, we're still working on the best way to handle firewall logs. Two
    > things make them challenging - the sheer volume of data, and the fact
    > that interesting new problems usually show up not as a new type of
    > message, but as a change in the distribution of messages.
    > 
    
    This is also true for NIDS (which currently have a very high false +ve 
    rate).  I find snortsnarf useful.  It produces an hourly summary in the 
    form of a table with event types and counts.  I know what is 'normal' 
    and so I don't investigate most alerts, however every now and again we 
    get something unusual which I do follow up.  There are some alerts that 
    are generally reliable and are always followed up.
    
    There is no substitute for having an intelligent human eye-balling the 
    stuff.  That person will be much more effective if the information is 
    carefully summarised.
    
    As far as snortsnarf goes I would like to see three reports for each 
    time period, one by event type, one by source address and one by 
    destination address.  Currently it just summarises by even type.
    
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Oct 16 2001 - 17:05:17 PDT