Julio Jaime wrote: > I need know , how find the relation between the events and the set >of rules that trigger it event. That's, right now, the single big challenge in log analysis. Currently there are commercial products that try to do that, and several people have built their own research system mostly using hard-coded perl scripts, etc. Basically, what you need to do is normalize or recognize events, pick out the "important" parts, and compare the important parts to produce new important parts. The technical means for doing that aren't difficult - that's a perl script. But the hard part is normalizing/recognizing, which requires a coded knowledge-base. The second hard part is picking out the important parts, which requires a second knowledge-base. And then the combination/comparison aspect requires a third knowledge-base. The first knowledge-base is most expensive to build because it is vendor/device specific. The second knowledge-base is hack/vulnerability signature specific and requires hack/vulnerability data. The third is specific to the results of the first two. I guess what I'm saying is that none of this is rocket science but it depends entirely on building some very expensive intellectual property. Which is why the only people who are doing much with it are well-funded organizations or vendors. mjr. --- Marcus J. Ranum http://www.ranum.com Computer and Communications Security mjrat_private _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 10:16:56 PDT