On 18/08/04 14:58 -0400, Marcus J. Ranum wrote: > Devdas Bhagat wrote: > >Top N blocked spam sending systems (by IP, by domain and by ip whois). > > -- Useful for judging how good/bad a DNSBL is with respect to > > your requirements > > I am assuming here you mean "in general" not from internal systems? ;) > So this would be a report from your spam-blocking system, right? Yes. I work for a largish email provider, and we are in the process of implementing that type of analysis to LART the top ISPs sending us spam. > >Top N servers handling the mail load. > > -- Ideally, this should be equally well distributed. > > I completely hadn't considered looking at load/load spreading for > servers. Interesting idea. You're treading on network management > here. :) Logs work for that. You could do the same for webservers, or any other network service. > >Top N ports being probed. > > -- New attacks? > > Probe == ? Syn/RST? Deny at the firewall? I am assuming the latter > since it's something you should be able to get easily from your > firewall logs. Good idea! Syn packets/ UDP packets which are getting blocked on the edge. Lots of probes to port 23 would be an issue, even if getting dropped on the edge. Again, if you have the network setup correctly, only your regular SMTP gateways should be talking to the outside world. Any system trying to contact the world on port 25 is then a virus with its own SMTP engine, or a misconfigured client. Systems trying to connect to IRC could also be suspect. Systems trying to bypass a web proxy..... > >Top N hosts trying to relay via your servers. > > -- Zombies? Compromised hosts? > > What do you mean here? Is this rejects from firewall, or from mail server? > Internal/external? This is external servers. Stuff that hits your MX and generates logs like: Aug 8 23:48:03 evita postfix/smtpd[12075]: NOQUEUE: reject: RCPT from 218-174-248-37.dynamic.hinet.net[218.174.248.37]: 504 <none-9m4f9c59gi>: Helo command rejected: need fully-qualified hostname; from=<business@private> to=<business@private> proto=SMTP helo=<none-9m4f9c59gi> (This one was caught by a different access rule, but would have been rejected anyway). This should be used to LART the provider/locally block IP ranges. > I am guessing that most organizations want reports of internal-facing > stuff more than external. Am I correct? > > >Top N changes to routing information, if running a dynamic routing protocol. > > -- Shows network stability/instability > > Interesting; > Do you think this would be better represented as a breakdown of > gateways used? (you'd need to roll this up from all boundary systems. ow) Centralised syslog server. Summarise and per gateway. If you have multiple links to a provider on different routers, and one is flaky, you may have a hardware issue. If both flake, its most likely a provider issue. > >Top N machines spewing out useless traffic on the network. > > -- essentially a breakdown by protocol per host, rather than by > > host per protocol. This should indicate protocols which you > > would try to avoid on the network/other problems. Eg, if a host > > which normally does 1 Mb/s of NetBIOS traffic suddenly jumps to > > 10 Mb/s, you have a problem. > > This is really more like a "count of policy violations" or "count of > non-standard protocols" right?? I am thinking that this would most > likely be implemented with a whitelist atop tcpdump Possibly. I was thinking ntop (http://www.ntop.org/), but since we have the information, might as well look at it along the other axis. Not necessarily policy violations, but more of an anomaly detection system. NetBIOS is being used, you expect to see it on the Windows system, but the average usage should show the same pattern over time. Devdas Bhagat _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 12:51:26 PDT