On 17/08/04 20:27 -0400, Marcus J. Ranum wrote: > Hi - > I'm trying to build a list of the "most popular reports" that > people pull from their system logs. This is mostly for my curiousity, > but also to see if log analysts tend to share common goals, or > whether we're all over the spectrum. I'm also hoping to be able to > maybe assemble a "top ten" list that people can look/ask for > from log analysis vendors. Top N blocked spam sending systems (by IP, by domain and by ip whois). -- Useful for judging how good/bad a DNSBL is with respect to your requirements Top N servers handling the mail load. -- Ideally, this should be equally well distributed. Top N ports being probed. -- New attacks? Top N hosts trying to relay via your servers. -- Zombies? Compromised hosts? Top N changes to routing information, if running a dynamic routing protocol. -- Shows network stability/instability <Webserver logs, the usual suspects> Top N machines spewing out useless traffic on the network. -- essentially a breakdown by protocol per host, rather than by host per protocol. This should indicate protocols which you would try to avoid on the network/other problems. Eg, if a host which normally does 1 Mb/s of NetBIOS traffic suddenly jumps to 10 Mb/s, you have a problem. New programs installed on various systems. Any users created/deleted. Database logs (for tuning purposes -- number of times a specific query is run, how long the query takes, top N queries, etc). DNS -- Top N domains queried for. If running an authoritative reverse DNS, the number of rDNS queries per host. A sudden spike in the number of rDNS requests could indicate a spam run. > Here's my list: > N should be considered a settable parameter > > - Top N machines sending/receiving traffic through the firewall > - Top N machines sending/receiving traffic on the network segment > same as above but inward-looking > - Top N machines being accessed behind the firewall > - Breakdown of traffic through firewall by service (%-age) > this popular as a pie chart > - Breakdown of traffic on the network segment by service (%-age) > same as above but inward-looking > - Top N email address(es) sending Email messages > - Top N email address(es) receiving Email messages > - %age of Email that is identified as spam > - %age of Email that contains blocked attachments > - Top N machines accessing web > - Top N targets identified in IDS alerts > - Top N IDS attacks identified > - %age of web traffic aimed at sites on porn blacklist > - %age of traffic aimed at sites on spy/adware blacklist > - Top N porn-surfers > - Top N most-ad/spyware infected systems > - New machines that have served WWW/FTP/SMTP today > > (I am teaching a tutorial on system log analysis for SANS and > USENIX/LISA and will gleefully add your good suggestions to > my list!) Devdas Bhagat _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 11:41:09 PDT