Re: [logs] Re: What's normal?

• Previous message: Darren Reed: "Re: [logs] Logging: World Domination"
• In reply to: Paul Ebersman: "[logs] Re: What's normal?"
• Next in thread: Wright, Joseph G (Gregory), SOLCM: "RE: [logs] What's normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Tina and all,

>explosions. Everyone always says "log and you'll know what's normal"
>but I haven't seen too many folks give good examples of how to weed
>through things during normal operations.
Moreover, some of the suggested approaches for system baselining I've
seen will happily include all the attack traffic as 'normal' just because
it happened duding the baselining period. OTOH, (I know it has been
beaten to death but) is CodeRed hits on Internet-exposed web server a
'normal' or an 'attack' traffic?

The related higher-level question is: is normal what SHOULD be happening
in the network or is it what REALLY happens day by day?

This is a very exciting thread! I will surely contribute more when I
digest all the wise responses posted ...

Best,
P.S. Also, would it help or hurt figuring out what is normal if another
layer of abstraction is created above common log messages to normalize
them?
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Ian O'Brien: "Re: [logs] What "should" be logged? (long)"
• Previous message: Darren Reed: "Re: [logs] Logging: World Domination"
• In reply to: Paul Ebersman: "[logs] Re: What's normal?"
• Next in thread: Wright, Joseph G (Gregory), SOLCM: "RE: [logs] What's normal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 11:12:53 PDT