RE: [logs] most popular reports...?

• Previous message: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• In reply to: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Stephen P. Berry: "Re: [logs] most popular reports...?"
• Reply: Jason Haar: "Re: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, not exactly.  Zero activity *might* indicate an outage, but an
unexpected drop of, say, a standard deviations from the expected norm (i.e.
a drop to a non-zero rate) could be an indicator of something else, just as
much as a standard deviation higher from the norm.  

Also, are you really saying that since it can take you up to a day to find
out that your NIDS are down?  Does anyone else have standards or policies
around monitoring security system availability / functionality?

Thanks,

Phil



-----Original Message-----
From: loganalysis-bounces+phil=open.com@private
[mailto:loganalysis-bounces+phil=open.com@private] On Behalf Of
Jason Haar
Sent: Friday, August 20, 2004 6:47 PM
To: loganalysis@private
Subject: Re: [logs] most popular reports...?

On Fri, Aug 20, 2004 at 01:30:49PM -0400, Phil Hollows wrote:
> Anyway, that aside, don't forget to have your statistical exception
analysis
> look for unusual *lack* of activity as well as a spike -- a deviation in
> "normal" in either direction is noteworthy.  I'll let the statisticians

Most of us find that a *lack* of activity has another name - it's called an
"outage" :-)

I have found through hard experience that specifically checking for lack of
activity is very important with NIDS: it tends to imply someone in the
network team has moved the SPANed ports without thinking... :-(

To that end I created a "test rule" for the NIDS, and daily attempt to
trigger all the NIDS by firing those packets past where their nose is
supposed to be. No trigger, and it's time to scream at the network team :-)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Kohlenberg, Toby: "RE: [logs] most popular reports...?"
• In reply to: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Jason Haar: "Re: [logs] most popular reports...?"
• Next in thread: Stephen P. Berry: "Re: [logs] most popular reports...?"
• Reply: Jason Haar: "Re: [logs] most popular reports...?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sat Aug 21 2004 - 09:59:34 PDT