Hi all, First off, nice start on your list Dan. If I may, I'd like to offer a few thoughts on this topic: I agree that any "report" that isn't correlated, talking as security goes, isn't worth a lot besides maybe statistical reporting and good looking graphs for power point slides. I also think that no software tool can assess the "value" of any given report automagically, regardless of how well it correlates logs between devices/hosts. The true value or importance of a report will depend on the systems it is reporting on - or as most people refer to them now as "assets" or "groups". I imagine, as an example, a report on your "group" of financial servers is probably more "important" to you then a report on your "group" of lab testing systems, almost regardless of the data contained in it. Ask yourself, which would you look at first? And if I may also go down this path for a second, reporting on dekstop systems that are infected with with trojans, worms, etc, that bang around and make a lot of noise is useful to try and assess the overall big picture of the damage they are making, yet they are poor when it comes to remediation of the problems. The remediation is the part that, IMHO, is the most important thing to use a report like this for, after the initial discovery of course. From experience I've seen that in a medium to large size business/enterprise, where desktop systems run on DHCP and it's becoming more and more common for people to have laptops then desktops, using these reports to actually find the offending system in question is becoming harder and harder since most of the security reporting tool are based on layer 3 reporting (IP addresses). As people run around from being wired to a docking station, to going to a meeting and being on wireless, to using an onboard wired NIC, you're going to be seeing different IP addresses via any kind of reporting device. Now based on this information alone, you're going to see the same device multiple times, in multiple places. I see this as a bigger problem then it's in the scope of this email to go into. Some kinds of reports can be very misleading, where others can be more set in stone. Well just something to think about when looking at reports on data like this - you've got to take into account, again, what is being reported on. Thanks - Erik > > Hi Chris, > > First, you need to divide these logs in their > categories, as you may have firewall logs, mail > logs, > auth logs, NIDS logs, etc ,etc.. You would need a > lot > of top 5's for them all. > > Second, I think that no security professional is > really interested in logs that are not correlated at > all. I > mean, just top fives will not give much information. > I think it would be interesting to see this data > based on severities and vulnerabilities (like most > severe alerts for the day). Just showing that 10 > users > missed their passwords today do not bring anything > to > the table, but showing that a brute force attack > tried > 20 passwords for 3 different users is more > meaninful (and would be in the top of the list). In > addtion to that, if we see this attack followed by > a successful login from the same source ip, we need > to increase even more the severity of it... With > these top 5's approach you would lose that. > > > A small list of things that I think are meaninful > (note that this list require the data to be > correlated and it is not really what you asked). > > For authentication logs: > > -Multiple failed logins for the same user from the > same source ip in a small period of time. It may > be a false positive, but may be not. Severity 5 (for > example) > -Multiple failed logins for multiple users from the > same source ip. Probably a brute force attack. > Severity 6. > -Multiple failed logins for multiple users, followed > by a successful login. Hum.. this may mean > something. > Severity 8. > -Multiple success logins for the same user across > multiple systems. Severity 5. > -Sucessful logins during no work time. Severity 5. > -etc, etc, etc > > For web logs: > > -Multiple 400 error codes from same source ip (web > scan). Severity 5. > -Sucessful request for URLs containing commom web > attacks (like sql injection, directory transversal, > etc). Severity 8. > -Failed requests (error 40x) for URLs containing > commom web attacks. Severity 6.. > -etc, etc, etc... > > Well, hope I was able to make my point. Sorry for > any english mistakes too... > > *Btw, I'm starting a document on some of the attacks > that we could detect with log analysis by monitoring > different types of logs. If anyone is interested on > adding some more information, the draft is bellow: > http://www.ossec.net/en/loganalysis.html > > Thanks, > > -- > Daniel B. Cid > dcid @ ( at ) ossec.net > > --- Chris Brenton <cbrenton@private> > escreveu: > > > Hey all, > > > > I'm involved with helping SANS organize the > logging > > summit this July. As > > part of that, I was hit with a question that I > > thought could be best > > answered via feedback from the group. > > > > What do you feel are the top 5 reports a > centralized > > log management > > system should provide? > > > > For example, a few I came up with: > > > > Authentication failures (Web, system access, VPNs, > > etc.) > > Access failures (HTTP scripts, recursion requests, > > etc.) > > Initialization of new/unknown processes > > Unexpected outbound traffic through the firewall > > (IRC, TFTP, SMTP, etc.) > > > > I would love to see a similar list from other > folks > > on the list. > > > > Cheers, > > Chris > > > > > > _______________________________________________ > > LogAnalysis mailing list > > LogAnalysis@private > > > http://lists.shmoo.com/mailman/listinfo/loganalysis > > > > > > > > > > > > _______________________________________________________ > > Yahoo! doce lar. Fa�a do Yahoo! sua homepage. > http://br.yahoo.com/homepageset.html > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sun May 21 2006 - 12:33:03 PDT