On Fri, Aug 20, 2004 at 01:30:49PM -0400, Phil Hollows wrote: > Anyway, that aside, don't forget to have your statistical exception analysis > look for unusual *lack* of activity as well as a spike -- a deviation in > "normal" in either direction is noteworthy. I'll let the statisticians Most of us find that a *lack* of activity has another name - it's called an "outage" :-) I have found through hard experience that specifically checking for lack of activity is very important with NIDS: it tends to imply someone in the network team has moved the SPANed ports without thinking... :-( To that end I created a "test rule" for the NIDS, and daily attempt to trigger all the NIDS by firing those packets past where their nose is supposed to be. No trigger, and it's time to scream at the network team :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 15:50:53 PDT