RE: [logs] most popular reports...?

• Previous message: Devdas Bhagat: "Re: [logs] Signatures"
• In reply to: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• Next in thread: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Stephen P. Berry: "Re: [logs] most popular reports...?"
• Reply: Jason Haar: "Re: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Surely the trick with this approach is to define the metric and the
timeframe you're sampling over -- and this is where IMHO the wetware comes
in, and you have to define to the system what it is you're interested in,
which I think was part of MJR's issue with the SAS consultants several
messages ago.  Another point is that a statistical exception can still be a
false positive.  For example, running a small email campaign through our
corporate email system could look to a statistical analyzer like a worm, as
would the app that builds our daily log analysis summaries.

Anyway, that aside, don't forget to have your statistical exception analysis
look for unusual *lack* of activity as well as a spike -- a deviation in
"normal" in either direction is noteworthy.  I'll let the statisticians
argue with you about sample sizes and uncertainties in some of the low end
ranges you quite, though ;-)

FWIW

Phil


>-----Original Message-----
>From: 
>loganalysis-bounces+toby.kohlenberg=intel.com@private 
>[mailto:loganalysis-bounces+toby.kohlenberg=intel.com@private
>oo.com] On Behalf Of Anton A. Chuvakin
>Sent: Thursday, August 19, 2004 7:58 PM
>To: Marcus J. Ranum; loganalysis@private
>Subject: Re: [logs] most popular reports...?
>
>>Here's my list:
>>	N should be considered a settable parameter
>
>Oh, my - you surely missed something, Marcus. Where is all the:
>
>-  Bottom N Accesed Ports
>-  Bottom N Event Types
>-  Bottom N ...
>
>Event rarity rules!

Definitely. In fact I'll take a second and mention my favorite use for
statistical operators- telling me about anything that changes
significantly.
Don't tell me when you see some random event, tell me when the number of
events of a specific type increases by 50%. That give me 0->1, 1->2,
2->3,
3->5, 100->150, etc...
Which means that I catch all the rare events and I catch the large
changes
in the noisy events.

t
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Devdas Bhagat: "Re: [logs] Signatures"
• In reply to: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• Next in thread: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Stephen P. Berry: "Re: [logs] most popular reports...?"
• Reply: Jason Haar: "Re: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 10:56:08 PDT