Anton Said:
>So, what about them? :-) They certainly help if you have a specific
>dataset that renders well as a link map (e.g. worm spread in not-too-large
>network). How about a 10 mil events of "random" firewall data though - how
>you would use link map to your advantage in such scenario (for either
>attack discovery or just representing data)?
In my experience link maps offer a view from the high ground that may allow you to see previously unknown attacks as they occur (if real-time). Depending on how you map the data for the links and what demensions are provided for that link node analysis you can ascertain critical information on large, more than 100,000 node networks by using grouping functions. However, if done incorrectly can provide hours of an enjoyable wild goose chase(s) even more so than event digging using the old fashion "more" and good luck finding a system that can handle more than 100,000 linked nodes.
Matt
Matthew F. Caldwell, CISSP
Founder and Chief Security Officer
GuardedNet, Inc
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 09:39:14 PDT