[logs] Firewall Log Analysis - Computer vs. Human

From: Adrian Grigorof (adi@private)
Date: Tue Jul 05 2005 - 09:24:28 PDT

Hi all,

We are trying to develop a log analyzer that would "replicate" a human's
approach to log analysis - by that I mean the fact that a human can
correlate information in the log with other factors (like - "hmm, the log
says that the firewall was restarted at 12:03 PM"... oh, yeah, it was that
UPS failure yesterday around noon). For this particular example, the log
analyzer could say in the report: "12:03 PM - Firewall restarted - Possible
power failure, power disconnection or manual restart" - a bit vague I agree
but it is better than nothing  - and in fact, this is what the firewall
admin would go through, right? Thinking, "Why would there be a restart? I
did not restart it.. anything happened at noon? The UPS failure!". Or for
example, instead of saying IP was denied for protocol
TCP/8543 and let the firewall admin worry about it maybe the analyzer should
do a bit of analysis, check the "history", see that this protocol is not
something commonly used, it's not one of the common worms and decide to
report that it is in fact a stray TCP packet caused by Internet latency (TCP
port higher than 1024, not a "known protocol", coming from an IP address
that is typically accessed by internal IPs via HTTP - all this information
is should be obtainable from the logs).

Now, the question is, what are the things (in your opinion) that only a
human can do?


Adrian Grigorof

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Tue Jul 05 2005 - 11:18:16 PDT