I don't know if it is so much the specific sequences in all cases. It is probably more categories of sequences- it doesn't matter if it is ssh or rsh or telnet or ftp, large numbers of failed logins are interesting, service crashes followed by logins with a root-priv account are interesting... The large task here is creating the categories and then mapping between them and the actual event names. t > -----Original Message----- > From: Anton Chuvakin [mailto:antonat_private] > Sent: Thursday, August 29, 2002 1:28 PM > To: Kohlenberg, Toby > Cc: loganalysisat_private > Subject: RE: [logs] what to log/what to look for: stateful > log analysis? > Importance: High > > > Toby and all, > > >There are a bunch of engines that can do this > Yes, that certainly is true, but what about the fuel for > those engines? > Actually, not only the fuel is missing; also the roadway and > the map ;-) > > >The real trick is the nomenclature stuff, IMHO. > That is exactly my point! The HOW is better developed than > WHAT in this > case. But is it really realistic to just ask _everybody_ what > sequences of > events they look for while doing log analysis and then create a > comprehensive database of them...? To me, this sounds like an > insurmountable task... > > Best, > -- > Anton A. Chuvakin, Ph.D., GCIA > http://www.chuvakin.org > http://www.info-secure.org > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 17:05:20 PDT