Hi Chris, First, you need to divide these logs in their categories, as you may have firewall logs, mail logs, auth logs, NIDS logs, etc ,etc.. You would need a lot of top 5's for them all. Second, I think that no security professional is really interested in logs that are not correlated at all. I mean, just top fives will not give much information. I think it would be interesting to see this data based on severities and vulnerabilities (like most severe alerts for the day). Just showing that 10 users missed their passwords today do not bring anything to the table, but showing that a brute force attack tried 20 passwords for 3 different users is more meaninful (and would be in the top of the list). In addtion to that, if we see this attack followed by a successful login from the same source ip, we need to increase even more the severity of it... With these top 5's approach you would lose that. A small list of things that I think are meaninful (note that this list require the data to be correlated and it is not really what you asked). For authentication logs: -Multiple failed logins for the same user from the same source ip in a small period of time. It may be a false positive, but may be not. Severity 5 (for example) -Multiple failed logins for multiple users from the same source ip. Probably a brute force attack. Severity 6. -Multiple failed logins for multiple users, followed by a successful login. Hum.. this may mean something. Severity 8. -Multiple success logins for the same user across multiple systems. Severity 5. -Sucessful logins during no work time. Severity 5. -etc, etc, etc For web logs: -Multiple 400 error codes from same source ip (web scan). Severity 5. -Sucessful request for URLs containing commom web attacks (like sql injection, directory transversal, etc). Severity 8. -Failed requests (error 40x) for URLs containing commom web attacks. Severity 6.. -etc, etc, etc... Well, hope I was able to make my point. Sorry for any english mistakes too... *Btw, I'm starting a document on some of the attacks that we could detect with log analysis by monitoring different types of logs. If anyone is interested on adding some more information, the draft is bellow: http://www.ossec.net/en/loganalysis.html Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net --- Chris Brenton <cbrenton@private> escreveu: > Hey all, > > I'm involved with helping SANS organize the logging > summit this July. As > part of that, I was hit with a question that I > thought could be best > answered via feedback from the group. > > What do you feel are the top 5 reports a centralized > log management > system should provide? > > For example, a few I came up with: > > Authentication failures (Web, system access, VPNs, > etc.) > Access failures (HTTP scripts, recursion requests, > etc.) > Initialization of new/unknown processes > Unexpected outbound traffic through the firewall > (IRC, TFTP, SMTP, etc.) > > I would love to see a similar list from other folks > on the list. > > Cheers, > Chris > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________________ Yahoo! doce lar. Faça do Yahoo! sua homepage. http://br.yahoo.com/homepageset.html _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu May 18 2006 - 20:40:30 PDT