On Tue, 20 Aug 2002, Wright, Joseph G (Gregory), SOLCM wrote: > > My hope is that by providing this sort of information we'll > > make it easier > > for people to get up to speed on what is and is not typical > > >>for them<<. > > I think perhaps we need two types of information: > > 1. A basic methodology for actually profiling boxen, based on the OS, > the intended use, location within the network, etc. There are as > many approaches to this as there are tools to collect the data, if > not more. However, providing some guidelines or direction as to > what data is the most useful to collect and what are some of the > more universally accepted "useful" ways to look at that data will > go a long way. > > 2. A repository of sanitized profiles, where a specific type of > configuration is described (e.g., web, DNS and mail servers located > in a DMZ, all running on a single flavor of *nix), and a snapshot > of what has been determined as "normal" activity for that config. Stick a honeypot out there, whatever it captures, it aint 'normal' :) lance http://www.tracking-hackers.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 11:53:05 PDT