One of the problems with trying to define normal state is that does
change, even at one site. An example someone used was Code Red
attacks. If you're on one of the lucky subnets, this can be a
continuous noise that you probably want to ignore normally.
There are certain things we can say are always bad:
*) root partition full
*) unrecoverable memory error
*) pgsql not running on main PostGRESQL server
etc.
Those are pretty easy to come up with and alarm on. The tricky part is
noticing *changes* and deciding which changes are worth worrying
about. If I normally get 200 ssh probes an hour and I suddenly go down
to 20, what happened? If the number of incoming HTTP requests triples
in 20 minutes, what happened?
Part of why I like the idea of having a set of ground rules for
quickly coming up with normal is that I can then redo that process to
reset normal fairly inexpensively. Having something that recorded the
rules and let me do diffs of previous normal states would be a neat
bonus.
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
https://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 12:08:43 PDT