Re: [logs] most popular reports...?

From: Jian Zhen (jlz@private)
Date: Thu Aug 19 2004 - 13:25:06 PDT


Just curious, how do you determine the stuff that you are *not* interested in?
It seems to be a fairly subjective exercise and may result in losing 
important data. (genuine question, not flame bait :)

As an example, deciding all accepts on a firewall are *not* interesting
may not be valid. 

I do agree that some process of elimination is necessary for log analysis,
where this happens is the question.

<RandomThougths>

It seems like in most real-world cases, log analysis is triggered by some
stimuli, e.g. an alert (IDS, SIM, human) or a log report (text or graphical 
format) showing something interesting. Most sysadmins are probably too busy
to consciously go and review logs unless something happens.

It also seems like most of the time, the process of correlation is in 
reverse chronological (temporal) order, as in, you go backwards in order 
to find out what happened (when did the attack occur, where did it come from,
how did it occur). Sometimes you will go forward in time to find out if other 
similar incidents has happened or if the attacker used the host for other
attacks.

There's also a spatial component to the process of correlation as well.
We generally look at logs from multiple hosts/devices across the network
in order to figure out the root cause.

Almost all of the SIM vendors are implementing their systems based on
forward temporal correlation, this is probably useful in detecting some
of the more well known scenarios. If the scenario is not known, most 
likely the attack will be missed.

For most investigations, it seems like reverse spatial & temporal analysis
is more useful.  Pro'ly less processor and memory intensive. However, 
(hey! STRACE = Spatial & Temporal Reverse Analytics & Correlation Engine)

The question is can something like that built to perform the reverse
correlation automatically (or if it's useful at all). There probably has 
to be some rules to tell the engine what to look at next (in reverse).

</RandomThougths>

Tim Sailer (sailer@private) [040819 12:30]:
> The way I've approached it, in my own worthless way, is to tell the tools
> the stuff that I'm *not* interested in. Data reduction is a must in a
> large centrally logging environment. You then pick through the rest
> to find the good nuggets. Approaching logs looking at *all* the data is
> simply a way to lose sleep/hair/braincells. You can then apply the
> fancy tools to visualize the important stuff, and, by default, the 
> stuff you never expected to see, since you didn't way you didn't care
> about it.
> 
> Tim
> 
> -- 
> Tim Sailer <sailer@private> 
> Information and Special Technologies Program
> Office of CounterIntelligence 
> Brookhaven National Laboratory  (631) 344-3001
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 13:32:28 PDT