RE: [logs] most popular reports...?

Previous message: Anton A. Chuvakin: "Re: [logs] Visual Event Analysis WAS: most popular reports...?"
Maybe in reply to: Marcus J. Ranum: "[logs] most popular reports...?"
Next in thread: Phil Hollows: "RE: [logs] most popular reports...?"
Next in thread: Stephen P. Berry: "Re: [logs] most popular reports...?"
Reply: Phil Hollows: "RE: [logs] most popular reports...?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

toby.kohlenberg@private

>-----Original Message-----
>From: 
>loganalysis-bounces+toby.kohlenberg=intel.com@private 
>[mailto:loganalysis-bounces+toby.kohlenberg=intel.com@private
>oo.com] On Behalf Of Anton A. Chuvakin
>Sent: Thursday, August 19, 2004 7:58 PM
>To: Marcus J. Ranum; loganalysis@private
>Subject: Re: [logs] most popular reports...?
>
>>Here's my list:
>>	N should be considered a settable parameter
>
>Oh, my - you surely missed something, Marcus. Where is all the:
>
>-  Bottom N Accesed Ports
>-  Bottom N Event Types
>-  Bottom N ...
>
>Event rarity rules!

Definitely. In fact I'll take a second and mention my favorite use for
statistical operators- telling me about anything that changes
significantly.
Don't tell me when you see some random event, tell me when the number of
events of a specific type increases by 50%. That give me 0->1, 1->2,
2->3,
3->5, 100->150, etc...
Which means that I catch all the rare events and I catch the large
changes
in the noisy events.

t
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis