RE: [logs] most popular reports...?

• Previous message: Anton A. Chuvakin: "Re: [logs] most popular reports...?"
• Maybe in reply to: Marcus J. Ranum: "[logs] most popular reports...?"
• Next in thread: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>-----Original Message-----
>From: 
>loganalysis-bounces+toby.kohlenberg=intel.com@private 
>[mailto:loganalysis-bounces+toby.kohlenberg=intel.com@private
>oo.com] On Behalf Of Marcus J. Ranum
>Sent: Thursday, August 19, 2004 4:17 PM
>To: Raffael Marty; Jian Zhen
>Cc: Tim Sailer; loganalysis@private; Tina Bird
>Subject: Re: [logs] most popular reports...?
>
>Raffael Marty wrote:
>>Just a quick answer to this: "determining stuff that is *not*
>>interesting" should not mean that you completely get rid of 
>it. Keep it
>>in the system and have it run through the correlation engine and all
>>those neat things, but don't look at them. 
>
>
>Ranum's second law of intrusion detection applies here: "the
>number of times an uninteresting thing happens is an interesting
>thing."

and the order that they happen in! and the frequency with which they
happen!

t
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Anton A. Chuvakin: "Re: [logs] most popular reports...?"
• Maybe in reply to: Marcus J. Ranum: "[logs] most popular reports...?"
• Next in thread: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Aug 19 2004 - 22:09:53 PDT