RE: [logs] Severity classification and Snort events.

• Previous message: Eric Fitzgerald: "RE: [logs] sending flatfiles to the event log in windows."
• In reply to: Matt Shirilla: "RE: [logs] Severity classification and Snort events."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matt Shirilla wrote:
>I am glad to read that.  I recently starting collecting syslog information
>from my network devices.  I have learned agreat deal by doing this but I
>have been struggling when it comes to analysis.

I've been participating in this list since it's inception, and if I were to
categorize the discussion, it breaks down neatly into 2 stovepipes:
        - How do we change the way things get logged so that we don't
        have to build mapping tables? (the first knowledge-base)
        - How do we automatically build knowledge-bases?
I don't think we'll make a lot of progress in either area because the
costs are very high in terms of person-power if we tackle building
the knowledge-bases.

 From my perspective, that's the value organizations like Counterpane
are trying to build, with varying degrees of success. By amortizing
the cost of message normalization and analysis across multiple customers,
you basically get the customer to fund you to build that knowledge-base.
The make-or-break issue is how well you can automate the support
systems that your human experts use to maintain the knowledge-base
of event significance. Counterpane's model is to build the knowledge-base
that is relevant only to their customers. The other approach is Intellitactics'
approach: build the knowledge base that's relevant to as many platforms
as possible so you can broaden your appeal to as many customers as
possible.

I've got some stuff I have been variously cooking on for a year or two
now, that I plan to start coding on in June (I have some noncompetes
that come off me in June) - it's going to be available for research and
noncommercial use when it's done. Tina and I are going to be doing
a tutorial on log analysis for SANS in the fall (that's the plan...) and a
chunk of my hands-on session is going to be dealing with some of
these issues. That's all the plan, anyhow. :)

mjr. 

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Eric Fitzgerald: "RE: [logs] sending flatfiles to the event log in windows."
• In reply to: Matt Shirilla: "RE: [logs] Severity classification and Snort events."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 29 2003 - 19:32:24 PDT