Re: [logs] most popular reports...?

From: Augusto Paes de Barros (apbarros@private)
Date: Thu Aug 19 2004 - 14:32:09 PDT


An important thing that we should notice is that trying to identify
what is wrong without a specific definition of what is wrong is as
easy as defining what is right. So working with systems that, visually
or not, try to show things that deviate from what is considered right
will not work on situations where your variables can be in a wide
range. Looking at IP adresses and port numbers is easy, but the
problem will increase when we talk about variables from higher layers.

Exactly because of that I think that anomaly based systems will work
better on internal networks. The simple fact of restricting the number
of sources or destinies of the communication will help.

(back to the graphical discussion)

As a suggestion, we may try to show visually the processes that  users
use in the network. Your sys admin accesses the Internet, e-mail, and
a bunch of servers through SSH, from his workstation and from VPN at
night. I can cleary see a plot out of the graphic when he starts to
use telnet  from the servers to other places at weekends. The problem
here is how to put all these variables at only 3 dimensions.

Can that  thing called "phase space analysis" help on this?

Regards,

Augusto.

On Thu, 19 Aug 2004 11:56:16 -0700, Tina Bird
<tbird@precision-guesswork.com> wrote:
> 
> > This is because telling what is "odd" is a very difficult thing to do on
> > a computer. And I mean difficult in the scientific meaning of the world:
> > we often lack the conceptual tools to do so.
> >
> > But really, it's nice to see that my research aren't a total waste of
> > time :P
> >
> Oh, I know -- in an earlier life I worked on statistics -- multivariate
> hypothesis tests, and that in a situation where I had continuous variables
> and relatively well tested theories that gave me a reasonable model for
> things I "ought" to see.  But then I decided to move into a field that paid
> a living wage ;-)
> 
> Of course, I didn't have the sense to find >easy< problems to work on.
> 
> This is why whenever I'm looking at logs or doing any other repetitive task,
> I consciously try to observe what my brain is doing for pattern detection --
> and then fire messages off to Marcus and this list, if I notice anything
> that might be helpful.  Like the "sources of remote connections" request
> yesterday, which came straight out of looking at data from machines
> compromised in what's now being called the "Teragrid compromises."
> 
> 
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 


-- 
Augusto Paes de Barros, CISSP
http://www.paesdebarros.com.br
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 14:46:05 PDT