>>>>> On Tue, 29 Apr 2003 17:26:08 -0400, "Marcus J. Ranum" <mjrat_private> said: MJR> Matt Shirilla wrote: >> I am glad to read that. I recently starting collecting syslog information >> from my network devices. I have learned agreat deal by doing this but I >> have been struggling when it comes to analysis. MJR> I've been participating in this list since it's inception, and if I were to MJR> categorize the discussion, it breaks down neatly into 2 stovepipes: MJR> - How do we change the way things get logged so that we don't MJR> have to build mapping tables? (the first knowledge-base) MJR> - How do we automatically build knowledge-bases? MJR> I don't think we'll make a lot of progress in either area because the MJR> costs are very high in terms of person-power if we tackle building MJR> the knowledge-bases. I think I would add another sub-topic: The state of log data transport sucks, why bother to analyze the data when it isn't reliable or complete. I could also roll "forensics" related discussions into this sub-topic. Now that the transport problem is solved (at least 3 different ways), we *do* need to move on to "content": format (syntax) and meaning (semantics). I am prepared to argue that the only reason network-based IDSs gained ground is that the IP packet formats were well-defined, so the SNORT and other folks didn't have to start where we are now. MJR> From my perspective, that's the value organizations like Counterpane MJR> are trying to build, with varying degrees of success. By amortizing MJR> the cost of message normalization and analysis across multiple customers, MJR> you basically get the customer to fund you to build that knowledge-base. MJR> The make-or-break issue is how well you can automate the support MJR> systems that your human experts use to maintain the knowledge-base MJR> of event significance. Counterpane's model is to build the knowledge-base MJR> that is relevant only to their customers. The other approach is Intellitactics' MJR> approach: build the knowledge base that's relevant to as many platforms MJR> as possible so you can broaden your appeal to as many customers as MJR> possible. This is also sorta how the SNORT/NIDS "knowledge base" was built. But they needed to know the format of what they were sifting through, and have a language for describing interpretations of what they saw. -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu May 01 2003 - 15:18:09 PDT