Hello Tina and all,
I understand that we haven't yet reached anything remotely resembling a
conclusion on "what to log" ;-) But Tina also suggested that the
discussion should touch the "what is normal to see in the logs". I was
looking at some PIX logs the other day, and it occurred to me that people
often attempt to classify "what is normal/abnormal" on a line by line
basis.
That reminded me of the packet filters->stateful firewall analogy. The
former looks at each packet individually while the latter looks at the
connection. It would be really nice to have a "stateful log inspection"
which looks not at the individual events, but at their logical sequences.
In this way, classifying what is normal/anomalous for the environment
might be more realizable and more accurate, then simply thinking "Is this
'connection denied' message Ok?". I know of at least one open source tool
that allows one to easily look at more than one event (SEC). However,
while providing a flexible engine for this, the tool doesn't solve the
main problem. Namely, WHICH sequences of events to look for.
To conclude, I suspect that it will be easier to define "bad sequences"
than inherently "bad events". And the next step will be to have it done in
a normalized way, e.g. 'successful login after 5 failed logins', no matter
WHERE the user tries to login.
Thoughts?
Best,
--
Anton A. Chuvakin, Ph.D., GCIA
http://www.chuvakin.org
http://www.info-secure.org
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 09:19:58 PDT