Marcus, Greg Conti showed some tools and ideas about putting network information on graphical forms at Defcon this year. It was very interesting. Another one that caught my attention was presented by Stefano Zanero. He showed some research on learning systems and presented some data generated by it in graphical forms. It was interesting to see spikes on graphics representing attacks that were executed with exploits not previously known by the system. Regards, Augusto Paes de Barros. On Wed, 18 Aug 2004 17:43:18 -0400, Marcus J. Ranum <mjr@private> wrote: > Kohlenberg, Toby wrote: > >But you have to figure out what your goals are if you are going to > >visualize the data. > > Funny - Jose and I were having a similar discussion offline. > My theory is that visualization is mostly useful as an exploratory > tool. Basically, you've got your "Bass" "Treble" and "Volume" > knobs you can mess with, and you can change the position of > the antennas and mess with the UHF knob until the picture > comes clear. The underlying goo driving it all is statistics of > some sort or another. But once you've used the visualization > tool to explore the data set you might go "Wow. This one is useful!" > Then you can fine-tune to collect that value in a less-expensive > format (i.e.: a pie chart or whatever) and you can start to > optimize by precomputing values you now know are of interest. > > A bunch of years ago, when I was at NFR, I talked to a bunch of > guys from SAS. They were really hot to "do something with IDS > logs." I was really hot to "have someone do something with IDS > logs." It seemed like a fit. I flew down to RTP with a CDROM of > useless data hoping it would magically turn into valuable > information. I told the SAS guys, "well, here it IS!" and they > said, "OK, so what does it MEAN?" I was flummoxed: "huh? > You tell me!" They replied, "No! You tell US!" > > There's this weird chicken/egg relationship. I think when we talk > visualization what we really want is something to facilitiate that > process of exploration. Of course we have this great tool for > that stuck behind our eyes and between our ears, and we'd > go to any lengths to avoid having to use it, lest it wear out. :) > > In my logging tutorial, one of the first things I try to get people > to consider doing is just sitting there for a while looking at the > darned things with "more". > > Hey! Can someone write me a 3-d version of "more" so I can > visualize my logs? ;) > > > > mjr. > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > -- Augusto Paes de Barros, CISSP http://www.paesdebarros.com.br _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 11:34:59 PDT