RE: [logs] About the logging infrastructure

From: Chris Petersen (chris@security-conscious.com)
Date: Wed Apr 13 2005 - 08:52:01 PDT


Hello Phi
 
1.    I think using existing log data is critical in the intrusion detection
response, however, whether you rely solely on the native logging systems is
another question.  Unfortunately even if the tell-tale signs of intrusion
are in the logs, it can be an extremely timely/tedious process of reviewing
logs.  This problem was supposedly solved by IDS systems whose goal was to
provide data reduction by automating the process of finding the
"interesting" stuff.  However, IDS themselves produce lots of data which can
also lead to data overload.  Hence the introduction off Security Event
Management solutions that strive to automate the process or correlating
multiple events into higher quality events, reducing the noise.  Back to
your question, I think the answer is a definate yes but you will need tools
to make the process of analyzing this data more efficient.  Furthermore, if
you can combine log data with IDS events (e.g., Snort) I think you have a
much higher quality intrusion detection solution where the IDS serves as the
alarming system and the log data provides the information required to
effectively analyze the alarm.
 
2.    Most of the SEM's are pretty pricey and target the larger enterprises,
six figure deals.  However, some providers have begun to target the middle
market.  Our company is one of these.  Other companies that have sub $20K
solutions (I believe) are LogLogic, Network Intelligence, and perhaps
TriGeo.   However these companies vary in the ability to collect logs and/or
events, what they can do with them in regards to intrusion detection.
 
3.    Rolling your own is definately possible though non-trivial.  The most
common home grown solution I'm familier with is using a (e.g., Kiwi) syslog
server to collect Unix/Device syslog events and using an agent (e.g., Snare)
to forward Windows events logs via syslog.  This type of solution has the
benefit if being inexpensive in software licenses but can be expensive in
development and support.  You may end up having to build a lot of your own
tools for analysis purposes.  If you have a few specific types of log
sources then homegrown can make sense but as you start bringing in more
diverse sets of log data, this is where you might want to consider a
commercial product.  Commercial vendors have had to figure out how to deal
with the vast differences in logging formats for
reporting/analysis/intrusion detection purposes.
 
Cheers,
Chris Petersen, CTO LogRhythm
www.LogRhythm.com

  _____  

From: loganalysis-bounces+chris=security-conscious.com@private
[mailto:loganalysis-bounces+chris=security-conscious.com@private] On
Behalf Of Phi Phu
Sent: Wednesday, April 13, 2005 1:38 AM
To: loganalysis@private
Subject: [logs] About the logging infrastructure


Dear all,
I am a new person in this mailling list. I have some following questions
that i really want they will be aswered:
1. Should we try to use effectively the existing log data (from OS and
applications) for the security purpose, in stead of using IDS or other
monitoring tools that also producing log data in the flooded-by-log world
today?
2. (If question #1 is "yes") is there any existing solution or product that
manages the log data for a small and medium enterpise (with the standard
computer network including: user workstations, file server, web server, mail
server, gateway to Internet, firewall, db server) for the intrusion
detection purpose?
3. (if question #2 is "no") do you think that building a solution like that
is possible?
 
Thank you, and best regards,
Phi



  _____  

Do you Yahoo!?
Yahoo! Small Business - Try
<http://us.rd.yahoo.com/evt=31637/*http://smallbusiness.yahoo.com/resources/
> our new resources site! 





_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Apr 13 2005 - 09:28:55 PDT