I'm curious what algorithms people are using to digest their log files in search of patterns, or other "interesting events", specifically as it relates to firewall or NIDS devices? Most of the tools that I've seen, mainly to analyze firewall logs, output results in descending order of the frequency of individual messages, or "attacks". A simple example would be, assume that in the course of 24 hours src IP A launches 1,000 packets toward a single dest-port on one of my servers (all get dropped); also during that 24 hours src IP B launches 200 packets toward a single dest-port on one of my servers (again, all get dropped); the resulting loganalysis program ranks src A highest, src B second highest, etc. Although that's one way of looking at the data, I'm interested in more sophisticated analysis that covers other dimensions, specifically: time, distribution of src IPs + ports, distribution of attacks from the same src IPs + ports over time, distribution of dest IPs + ports, distribution of dest IPs + ports over time, etc. The end goal would be to spot attacks, or precursors to attacks, that would otherwise get lost in the "noise" of less sophisticated analyses programs. What are useful methods/algorithms/tools people are using to do this? Or, do people not lose sleep at night worrying about this :-) ? -shane _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 20:38:26 PST