On Tue, Aug 17, 2004 at 08:27:32PM -0400, Marcus J. Ranum wrote: > Here's my list: > N should be considered a settable parameter > > - Top N machines sending/receiving traffic through the firewall > - Top N machines sending/receiving traffic on the network segment >... ...I'd add "Internal IP addresses being blocked via an edge firewall more than N times/hour" Always an indicator on bad activity. Obviously in our Windows-world, effectively all machines are blocked at some point, but more than 200/hour should be pretty safe as a cutoff point to get rid of those False Positives and still catch the bad machines. This is assuming you are doing Egress filtering of your LAN traffic of course (and we all do that - right? :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 09:45:44 PDT