Re: [logs] Logging: World Domination

• Previous message: Chris Adams: "Re: [logs] Logging: World Domination"
• In reply to: Tina Bird: "[logs] Logging: World Domination"
• Next in thread: Jose Nazario: "Re: [logs] Logging: World Domination"
• Reply: Jose Nazario: "Re: [logs] Logging: World Domination"
• Reply: Raistlin: "Re: [logs] Logging: World Domination"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Aug 20, 2002 at 06:42:49AM +0000, Tina Bird wrote:
> 
> 3) Given a particular operating system and/or system purpose, what are
> (pick your favorite integer) 15 messages that pretty much always mean bad
> news: that the system has been compromised, that a catastrophic failure
> has happened, however we choose to define "bad news" for that "typical"
> environment?  What >>is<< "bad news"?  Do we have sample data?

As part of my general attitude that computers should be doing the work
for *us*, I think we could employ the approach of the SpamAssassin (SA)
project.

The SA developers have a huge corpus of SPAM and "not-SPAM" messages
that they apply a genetic algorithm to (not my term) which ends up with
patterns that describe SPAM and non-SPAM messages. I suspect many of you
are reading this message right now with a "X-Spam-Status:" header in it,
SA is a highly effective tool.

The caveat with this approach is that you would need to gather a
crapload of logs, and have people somehow denote whether each entry is
good, bad or just ugly. With email you can mark a whole message, but
with logs you'd have to do this line by line, unfortunately.

Someone could host a repository and allow submission from the public via
some CGI, email, or hell even syslog ;) The analysis could be performed
every couple months on the current repository, and we may just end up
with something as useful as SA.

This is the first time I've thought of this, and I'm sure I'm missing
some critical points (like who is going to host this repository and
develop this tool for free, etc, etc) but maybe this idea has some
merit.
-- 
Nate Campi  Wired UNIX Operations  TerraLycos DNS Operations

"It can be shown that for any nutty theory, beyond-the-fringe political
view or strange religion there exists a proponent on the Net. The proof
is left as an exercise for your kill-file." - Unknown found in a
.signature

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Paul Ebersman: "[logs] resettable "normal""
• Previous message: Chris Adams: "Re: [logs] Logging: World Domination"
• In reply to: Tina Bird: "[logs] Logging: World Domination"
• Next in thread: Jose Nazario: "Re: [logs] Logging: World Domination"
• Reply: Jose Nazario: "Re: [logs] Logging: World Domination"
• Reply: Raistlin: "Re: [logs] Logging: World Domination"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 12:03:33 PDT