On Tue, 2002-10-29 at 23:04, Marcus J. Ranum wrote: > Dale.Drewat_private wrote: > >You need to be able to look for > >"abnormal" patterns in log data > > I'd like to know how to do this. Any pointers? ;-) I think Marcus himself has probably posted the best ideas along this thread, namely his whole concept of "stateful logging". Key in on what you know and understand to be normal, question everything else. The entries might in fact be "abnormal", or they could be false positives. Best way to tell is to have a clueful human on the back end sorting it out. From there its just a matter of tweaking the system to reduce the false positive rate. Now all we need is someone(s) to write such a system. Maybe someone who has already done similar in the firewall and IDS realm perhaps? ;-) C -- ************************************** cbrentonat_private find / -name \*yourbase\* -exec chown us:us {} \; _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 08:23:46 PST