RE: [logs] most popular reports...?

• Previous message: Devdas Bhagat: "Re: [logs] most popular reports...?"
• In reply to: Marcus J. Ranum: "[logs] most popular reports...?"
• Next in thread: Marcus J. Ranum: "RE: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Another vein of thought to consider is the "insider threat".
In this area, I'd be interested in "access failures".  Failure to:
- Access a server (login)
- Access an application or database
- Access a service or resource
- Access a directory or file

And especially how often and from whom/where these occur.

R,

-Joe Wulf, CISSP
 ProSync Technology Group, LLC
 www.prosync.com
 Senior IA Engineer
 (410) 772-7969  office
 (410) 772-7967  fax
 (443) 801-5597  personal cell

-----Original Message-----
From: loganalysis-bounces+joe_wulf=yahoo.com@private
[mailto:loganalysis-bounces+joe_wulf=yahoo.com@private] On Behalf Of
Marcus J. Ranum
Sent: Tuesday, August 17, 2004 20:28
To: loganalysis@private
Subject: [logs] most popular reports...?

Hi -
	I'm trying to build a list of the "most popular reports" that people
pull from their system logs. This is mostly for my curiousity, but also to
see if log analysts tend to share common goals, or whether we're all over
the spectrum. I'm also hoping to be able to maybe assemble a "top ten" list
that people can look/ask for from log analysis vendors.

Here's my list:
	N should be considered a settable parameter

	- Top N machines sending/receiving traffic through the firewall
	- Top N machines sending/receiving traffic on the network segment
		same as above but inward-looking
	- Top N machines being accessed behind the firewall
	- Breakdown of traffic through firewall by service (%-age)
		this popular as a pie chart
	- Breakdown of traffic on the network segment by service (%-age)
		same as above but inward-looking
	- Top N email address(es) sending Email messages
	- Top N email address(es) receiving Email messages
	- %age of Email that is identified as spam
	- %age of Email that contains blocked attachments
	- Top N machines accessing web
	- Top N targets identified in IDS alerts
	- Top N IDS attacks identified
	- %age of web traffic aimed at sites on porn blacklist
	- %age of traffic aimed at sites on spy/adware blacklist
	- Top N porn-surfers
	- Top N most-ad/spyware infected systems
	- New machines that have served WWW/FTP/SMTP today

(I am teaching a tutorial on system log analysis for SANS and USENIX/LISA
and will gleefully add your good suggestions to my list!) mjr. 

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Devdas Bhagat: "Re: [logs] most popular reports...?"
• In reply to: Marcus J. Ranum: "[logs] most popular reports...?"
• Next in thread: Marcus J. Ranum: "RE: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 11:55:10 PDT