RE: [logs] what to log/what to look for: stateful log analysis?

From: Anton Chuvakin (antonat_private)
Date: Thu Aug 29 2002 - 20:21:52 PDT

  • Next message: Tina Bird: "[logs] Audit in Trusted Systems"

    Toby and all,
    
    >I don't know if it is so much the specific sequences in all cases.
    >It is probably more categories of sequences- it doesn't matter if it
    >is ssh or rsh or telnet or ftp, large numbers of failed logins are
    >interesting, service crashes followed by logins with a root-priv account
    >are interesting...
    Bullseye!! That is exactly what I was talking about; it is not so much
    sorting out individual events, but finding out "known malicious" sequences
    that are:
    -platform and software independent
    -network topology independent
    -automatically identifiable (i.e not requring AI)
    -more criteria here?
    
    In addition to your exampleas above:
    -many connection denied followed by connection allowed
    -many firewall denies followed by the IDS alert
    
    Best,
    -- 
      Anton A. Chuvakin, Ph.D., GCIA
         http://www.chuvakin.org
       http://www.info-secure.org
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 00:21:05 PDT