Williams Jon wrote: > I'd like to be able to show, for example, those >things that have more than one hit but less than 100 in the last hour, >for example. Or maybe a report that shows the things with one hit >between 17:00 and 23:00 last night. Stuff like that. I don't have ranges built in but last night I added a -T d:h:m:s option to nbsdump; it's on my site for download. The only thing that bothers me a bit about adding stuff like ranges and so on is that puts me on the slippery slope that leads to SQL. :) I already looked at adding time value(s) to all the indexes, to make it faster to retrieve on time(s) but then the updates have to update the trees as well as the record file. :( >Hmm. I wonder if there's a way to set this up to detect Internet >clients that connect to a variety of servers one time each??? Hmmm.. You could store client:server, then dump it in order of lowest to highest, using the primary key as the sort, then stick it through a perl script (I'd offer an example but I am a terrible perler) that counts instances where the first token is the same. Then sort on the result. I'm figuring that the tool is going to undergo a period of experimentation; once we've got a better idea what it can/should do then I will either rewrite it or write what it should have been. Back in the NFR days we had this thing called "histogram" which was kind of like NBS but it maintained a matrix; you could have it alert when a new pairing was added, or count when the value at the nexus of the pair was seen. It was a bit hard to make that really fast, though mostly that was an implementation detail. Braden and DeSchon's "NNstat" had a similar data structure and I regularly used it to detect port scans. Glad you're enjoying NBS! :) mjr. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Sep 03 2004 - 19:55:29 PDT