Re: [logs] Reliably detecting things like the SQL worm....

From: Chris Adams (cadamsat_private)
Date: Sun Jan 26 2003 - 13:53:00 PST

  • Next message: Michael C. Ibarra: "Re: [logs] Anyone written a CGI/PHP frontend to swatch?"

    > Of course, I should be able to detect that there is something going on
    > due to the sharp increase in network traffic and - as far as the
    > firewalled sites are concerned - the number of firewall alerts. HOWEVER,
    > most of this data is reported by syslog. This being UDP is one of the
    > first things to be thrown away during congestion. I think the worm is
    > the first situation that in reality proves whether or not syslog is able
    > to provide a high enough message delivery rate to trigger alerts - or be
    > of no use at all.
    The biggest lesson is simply network structure: if you have all of your
    control and logging going over the same network (or a VLAN without some sort
    of prioritization or reserved bandwidth), you're screwed.
    One interesting syslog aspect involves the replacement protocols. Is there a
    syslog replacement out there which uses QoS so that routers can prioritize
    critical errors ahead of the flood of low-priority errors (e.g. per-probe
    notifications) and worm traffic?
    Most of the syslog replacements seem to focus on application-level
    prioritization, which doesn't help much if you envision a future where most
    hosts speak the syslog replacements natively - the most you could do in that
    case would be pushing aggregators further out towards the edge, which is
    expensive and unlikely to happen on most networks. Even regular syslog would
    be better in this case if you had a version which set the appropriate IP QoS
    bits before sending.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sun Jan 26 2003 - 18:46:45 PST