RE: [logs] most popular reports...?

From: Bruce Platt (Bruce@private)
Date: Wed Aug 18 2004 - 12:06:29 PDT


I look separately at what's happening on the inside (LANS, etc.) and on the
outside (Internet)

What I look at most are which others may not have mentioned are: 

Internet:

1. Top N machines generating Postfix rejects due to forged client name in
received header, unknown user name in alias tables, etc.  
(Postfix and allied filtering mechanisms) do lots of processing outside of
our firewalls.
2. Top N domains/IPs generating spam and offering virus-laden mail
3. Snort reports for top N machines trying things like MS IIS exploits
4. Top N sources of probes for ports like ssh, telnet, 135-139 and 445,
(lots of overlap between these and #2.  :-) and other interesting ports
(pick your list) (These are all blocked.)
5. Top N machines trying a dns zone x-fer other than my allowed secondaries.
6. Top N machines looking for smtp servers other than those advertised in
domain MX records.  (Not really sure why I like this, but it seems smart to
me.)

Inside:

1. Top N web-browse targets.
2. Top N machines trying to mail to internet (blocked by policy, but a good
indicator of compromise).
3. Top N machines trying bot channel ports (blocked by policy, but ditto).
4. Top N machines trying to do ftp-puts (blocked by policy, and no one
should be, but ...).
5. Top N users of web proxy  (more to see who is doing lots of web browsing
than for any specific security reason.
6. Top N dhcp lease requests.  (dhcp server supposed to only give out by MAC
address, but never hurts to check.)
7. Top N machines needing patches (arghhhh!  On the one hand, better sw by
that vendor would require less of this, on the other can I afford the risk
of hassling people into doing this?  And, some of those critical patches
breaks non MS sw which we need to use.)

And others, but these are my favorites for a quick check on what is going
on.

Best Regards

+---------------------------------------+
Bruce B. Platt, Ph.D.
ei3 Corporation
136 Summit Avenue
Montvale, NJ 07645
201-802-9080


> -----Original Message-----
> From: Marcus J. Ranum [mailto:mjr@private]
> Sent: Tuesday, August 17, 2004 8:28 PM
> To: loganalysis@private
> Subject: [logs] most popular reports...?
> 
> 
> Hi -
> 	I'm trying to build a list of the "most popular reports" that
> people pull from their system logs. This is mostly for my curiousity,
> but also to see if log analysts tend to share common goals, or
> whether we're all over the spectrum. I'm also hoping to be able to
> maybe assemble a "top ten" list that people can look/ask for
> from log analysis vendors.
> 
> Here's my list:
> 	N should be considered a settable parameter
> 
> 	- Top N machines sending/receiving traffic through the firewall
> 	- Top N machines sending/receiving traffic on the 
> network segment
> 		same as above but inward-looking
> 	- Top N machines being accessed behind the firewall
> 	- Breakdown of traffic through firewall by service (%-age)
> 		this popular as a pie chart
> 	- Breakdown of traffic on the network segment by service (%-age)
> 		same as above but inward-looking
> 	- Top N email address(es) sending Email messages
> 	- Top N email address(es) receiving Email messages
> 	- %age of Email that is identified as spam
> 	- %age of Email that contains blocked attachments
> 	- Top N machines accessing web
> 	- Top N targets identified in IDS alerts
> 	- Top N IDS attacks identified
> 	- %age of web traffic aimed at sites on porn blacklist
> 	- %age of traffic aimed at sites on spy/adware blacklist
> 	- Top N porn-surfers
> 	- Top N most-ad/spyware infected systems
> 	- New machines that have served WWW/FTP/SMTP today
> 
> (I am teaching a tutorial on system log analysis for SANS and
> USENIX/LISA and will gleefully add your good suggestions to
> my list!)
> mjr. 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 12:09:43 PDT