Re: [logs] most popular reports...?

From: Marcus J. Ranum (mjr@private)
Date: Wed Aug 18 2004 - 11:58:52 PDT


Devdas Bhagat wrote:
>Top N blocked spam sending systems (by IP, by domain and by ip whois).
>        -- Useful for judging how good/bad a DNSBL is with respect to
>                your requirements

I am assuming here you mean "in general" not from internal systems? ;)
So this would be a report from your spam-blocking system, right?

>Top N servers handling the mail load.
>        -- Ideally, this should be equally well distributed.

I completely hadn't considered looking at load/load spreading for
servers. Interesting idea. You're treading on network management
here. :)

>Top N ports being probed.
>        -- New attacks?

Probe == ? Syn/RST? Deny at the firewall? I am assuming the latter
since it's something you should be able to get easily from your
firewall logs. Good idea!

>Top N hosts trying to relay via your servers.
>        -- Zombies? Compromised hosts?

What do you mean here? Is this rejects from firewall, or from mail server?
Internal/external?

I am guessing that most organizations want reports of internal-facing
stuff more than external. Am I correct?

>Top N changes to routing information, if running a dynamic routing protocol.
>        -- Shows network stability/instability

Interesting;
        Do you think this would be better represented as a breakdown of
gateways used? (you'd need to roll this up from all boundary systems. ow)

>Top N machines spewing out useless traffic on the network.
>        -- essentially a breakdown by protocol per host, rather than by
>        host per protocol. This should indicate protocols which you
>        would try to avoid on the network/other problems. Eg, if a host
>        which normally does 1 Mb/s of NetBIOS traffic suddenly jumps to
>        10 Mb/s, you have a problem.

This is really more like a "count of policy violations" or "count of
non-standard protocols" right?? I am thinking that this would most
likely be implemented with a whitelist atop tcpdump

[other stuff]

mjr.

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 12:02:42 PDT