Hosting Provided By

RE: Firewall Activity analysis

From: Anton A. Chuvakin <anton(at)chuvakin.org>
Date: Wed Dec 11 2002 - 15:58:11 EST

All,

>discovering new attacks/attackers. Anomaly detection via statistical
Well, isn't it one of those things that is mentioned much more often that it is implemented? Many people say its a good idea to have a full-blown anomaly detection running on log data and even more people agree with those saying that :-) However, anomaly detection is kinda lacking even for the packet-level stuff (which is more rigid in format than system logs). Many discussions on Tina Bird log-analysis list happen around this very topic - and there doesn't seem to be any meaningful bottom line [yet].

And the dangerous thing about jumping in and implementing some simple rules (such as "connection failed -> conn successful"), might create a nice little (well, BIG actually!) "false-positive machine" and NIDS systems already provide plenty of that.

Discovering new attacks via statistical anomalies sounds prmising, but what is the evidence to suggest that those new attacks will be in the log files in the first place?
(see, e.g. http://www.immunitysec.com/dailydave/9.24.2002.html)

Best,

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     
http://www.chuvakin.org
   
http://www.info-secure.org

Received on Wed Dec 11 16:29:17 2002

This message: [ Message body ]
Next message: Matthew L. McGuirl: "RE: Intrusion Prevention"
Previous message: Chris Petersen: "RE: Intrusion Prevention"
In reply to Matthew F. Caldwell: "RE: Firewall Activity analysis"
Next in thread: Matt Harris: "Re: Firewall Activity analysis"
Reply: Matt Harris: "Re: Firewall Activity analysis"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT