In some mail from Chris Brenton, sie said: > > Hey all, > > I'm involved with helping SANS organize the logging summit this July. As > part of that, I was hit with a question that I thought could be best > answered via feedback from the group. > > What do you feel are the top 5 reports a centralized log management > system should provide? 1) One that tells you when your web server has been defaced 2) One that tells you when someone has successfully used a new buffer overflow against your systems 3) When a hacker gets root 4) When one of your systems gets rootkit'd 5) How often a password is used in clear text > For example, a few I came up with: > > Authentication failures (Web, system access, VPNs, etc.) > Access failures (HTTP scripts, recursion requests, etc.) > Initialization of new/unknown processes > Unexpected outbound traffic through the firewall (IRC, TFTP, SMTP, etc.) I suppose they're statistically interesting but otherwise dull. How about it tells me when there's an authentication failure for the secretary from a computer in Bolivia? I'm not really interested in the 10 times a day she gets her password wrong, at her desk because she's doing her nails and trying to login. Darren _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu May 18 2006 - 11:29:17 PDT