RE: [logs] what to log/what to look for: stateful log analysis?

• Previous message: Jose Nazario: "[logs] additional information sought"
• In reply to: Kohlenberg, Toby: "RE: [logs] what to log/what to look for: stateful log analysis?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Toby and all,

>I don't know if it is so much the specific sequences in all cases.
>It is probably more categories of sequences- it doesn't matter if it
>is ssh or rsh or telnet or ftp, large numbers of failed logins are
>interesting, service crashes followed by logins with a root-priv account
>are interesting...
Bullseye!! That is exactly what I was talking about; it is not so much
sorting out individual events, but finding out "known malicious" sequences
that are:
-platform and software independent
-network topology independent
-automatically identifiable (i.e not requring AI)
-more criteria here?

In addition to your exampleas above:
-many connection denied followed by connection allowed
-many firewall denies followed by the IDS alert

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tina Bird: "[logs] Audit in Trusted Systems"
• Previous message: Jose Nazario: "[logs] additional information sought"
• In reply to: Kohlenberg, Toby: "RE: [logs] what to log/what to look for: stateful log analysis?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 00:21:05 PDT