On Wed, Apr 13, 2005 at 12:37:57AM -0700, Phi Phu wrote: > Dear all, > I am a new person in this mailling list. I have some following questions that i really want they will be aswered: > 1. Should we try to use effectively the existing log data (from OS and applications) for the security purpose, in stead of using IDS or other monitoring tools that also producing log data in the flooded-by-log world today? Yes. If you do not look at your log data for security purposes, you are missing a lot of the 'big picture'. Pull log data from everything you can, computer systems, applications, network devices, etc. You'd be amazed at what you can learn about your network from just the 'Link Up/Link Down' messages from your switches! > 2. (If question #1 is "yes") is there any existing solution or product that manages the log data for a small and medium enterpise (with the standard computer network including: user workstations, file server, web server, mail server, gateway to Internet, firewall, db server) for the intrusion detection purpose? Not that I know of (I meaning me alone, not the 'royal I', speaking for anyone else). No matter what you find, you'll have to do major mods, so it's just as easy, IMNSHO, to roll your own, being a 'small shop'. The way I do it is to dump everything into a database for archiving and event correlation, and use swatch and sec for the 'realtime' stuff. Start with the thought that everything is important, and then start eliminating the things that you find less than interesting, reducing the dataset. Reducing the dataset into something managable is the trick. > 3. (if question #2 is "no") do you think that building a solution like that is possible? Hrm... I guess I just answered that. :) Tim -- Tim Sailer <sailer@private> Information and Special Technologies Program Office of CounterIntelligence Brookhaven National Laboratory (631) 344-3001 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Apr 13 2005 - 09:35:26 PDT