You raise a good point. Had I the time I'd do more of that. I look at Dshield on a regular basis as I can't do all of what I'd like to do. Ken Connolly's Intrusions posts are another good source. On the other hand, some things do pop up as a result of non-automated reporting. A few weeks ago there was a spike in ssh probes using a non-standard ssh version naming. (I forget the exploit name at the moment.) I did some ad-hoc trending of that as it was of singular interest to me. Now that you raise the point, what do you use for your trending? Regards Bruce +---------------------------------------+ Bruce B. Platt, Ph.D. ei3 Corporation 136 Summit Avenue Montvale, NJ 07645 201-802-9080 > -----Original Message----- > From: Jose Nazario [mailto:jose@private] > Sent: Wednesday, August 18, 2004 3:14 PM > To: loganalysis@private > Subject: RE: [logs] most popular reports...? > > > is no one doing any trend analysis (ie fasting rising ports > being hit)? > all i see listed so far are static "top N" reports. if you > have more than > a handful of servers for any of those services they'll always > swamp out > the interesting bits in "top N" reports. trend analysis can yield more > insightful results, but you have to have a decent window and > additional > filters in place to spot real trends (as opposed to the normal ebb and > flow of traffic). > > ________ > jose nazario, ph.d. jose@private > http://monkey.org/~jose/ http://infosecdaily.net/ > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 12:49:03 PDT