Jose Nazario wrote: >is no one doing any trend analysis (ie fasting rising ports being hit)? >all i see listed so far are static "top N" reports. Most of the folks who are looking at that problem are intensely focused on visualization. Take a look at "Therminator" and "The spinning cube of potential doom" etc. http://www.nersc.gov/nusers/security/TheSpinningCube.php http://www.arxiv.org/PS_cache/cond-mat/pdf/0402/0402325.pdf Lacope has some cool Therminator stuff in their StealthWatch product. I haven't talked to anyone who has practical experience with it. I'm not convinced of the value of such systems outside of the cool-factor but it's mostly because I keep seeing them as just different ways of accessing the same underlying metaphors and presenting them in new ways. The underlying metaphors are really moving averages, runs tests, and distances from the mean. What we haven't figured out how to do is use them in a way that helps, so visualizing is really just a cool way of graphically twiddling the "gain" "bass" and "treble" to see what comes out. mjr. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 18 2004 - 13:54:19 PDT