Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > security-basics > 03 > 043272.html (Request Expert securityfocus.com Support)

RE: Automated analysis of logs?

From: Kinsey, Robert <Robert.Kinsey(at)Veridian.com>
Date: Mon Apr 14 2003 - 17:58:07 EDT


I agree, Jon, that using something to "clean up" the alert logs is a generally good thing (tm). I am more concerned with the tendency for folks to "de tune" based on certain criteria.

For example, you may permit anonymous FTP logins from certain locations (other offices within the company) but what about the others? Trying to concoct a rule to grep out only those that are NOT from within the allowed ranges would be overwhelming. In some cases reading the raw logs would be beneficial - not in all cases however. A simple probe would be improved if you could just log (and then grep) the number of probing attempts from IP x and show what IPs or ports they tried to hit.

In some ways the newer IDS tools do this well (again for raw analysis and correlation) but I have yet to see one that gave you the firehose WITH correlation very well.

Regards,
Robert Kinsey

-----Original Message-----

From: Jon Pastore
To: Kinsey, Robert; security-basics@securityfocus.com Sent: 4/13/03 6:06 AM
Subject: Re: Automated analysis of logs?

fair statement but if you reverse the process of your scripts to output unknown or exceptions this will speed up the under funded IT dept's efforts in log analysis...I don't have time to look @ logs all day...I'd rather eat pain killers they'd be more fun and I'd fall asleep just as fast =) my eyes start to glaze over after a few thousand lines =)

I guess really it's all in the logic of your analysis tools and what you're trying to analyze. Most tools are designed for the intent of trending for proactive IT efforts. Security based scripts for analysis should be effective and think if properly coded would help in expediting an attack or misuse or exploit

-Jon


Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. www.blackhat.com
Received on Tue Apr 15 14:38:42 2003
Do you need help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:04:04 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library