|
List Info
Thread: Which reports are most important?
|
|
| Which reports are most important? |
|
2006-05-18 02:32:25 |
Hey all,
I'm involved with helping SANS organize the logging summit
this July. As
part of that, I was hit with a question that I thought could
be best
answered via feedback from the group.
What do you feel are the top 5 reports a centralized log
management
system should provide?
For example, a few I came up with:
Authentication failures (Web, system access, VPNs, etc.)
Access failures (HTTP scripts, recursion requests, etc.)
Initialization of new/unknown processes
Unexpected outbound traffic through the firewall (IRC, TFTP,
SMTP, etc.)
I would love to see a similar list from other folks on the
list.
Cheers,
Chris
_______________________________________________
LogAnalysis mailing list
LogAnalysis lists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-18 03:23:35 |
Quoting Chris Brenton <cbrentonchrisbrenton.org>:
> What do you feel are the top 5 reports a centralized
log management
> system should provide?
This is not so much my Top 5 but some additions to your list
below.
Users/groups created/deleted/changed
Anti-virus / spam detection (alerts for AV and stats for
spam)
FW/VPN/gateway ruleset & configuration changes
Tripwire-style reports for critical files/hosts
Failed jobs/cron/batches
Regards
James Turnbull
--
James Turnbull <jameslovedthanlost.net>
---
Author of Pro Nagios 2.0
(http://w
ww.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://w
ww.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&s
earch=0x0C42DF40)
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-18 08:59:41 |
In some mail from Chris Brenton, sie said:
>
> Hey all,
>
> I'm involved with helping SANS organize the logging
summit this July. As
> part of that, I was hit with a question that I thought
could be best
> answered via feedback from the group.
>
> What do you feel are the top 5 reports a centralized
log management
> system should provide?
1) One that tells you when your web server has been defaced
2) One that tells you when someone has successfully used a
new buffer
overflow against your systems
3) When a hacker gets root
4) When one of your systems gets rootkit'd
5) How often a password is used in clear text
> For example, a few I came up with:
>
> Authentication failures (Web, system access, VPNs,
etc.)
> Access failures (HTTP scripts, recursion requests,
etc.)
> Initialization of new/unknown processes
> Unexpected outbound traffic through the firewall (IRC,
TFTP, SMTP, etc.)
I suppose they're statistically interesting but otherwise
dull.
How about it tells me when there's an authentication
failure
for the secretary from a computer in Bolivia? I'm not
really
interested in the 10 times a day she gets her password
wrong,
at her desk because she's doing her nails and trying to
login.
Darren
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-18 12:37:13 |
Chris Brenton wrote:
>What do you feel are the top 5 reports a centralized log
management
>system should provide?
There was a thread about this back a zillion years ago...
From my SANS tutorial on logging:
– Top N machines sending/receiving traffic through the
firewall
– Top N machines sending/receiving traffic on the
network segment
• Same as above but inward-looking
– Top N machines being accessed behind the firewall
– Breakdown of traffic through firewall by service
(%-age)
• This is popular as a pie chart
– Breakdown of traffic on the network segment by
service (%-age)
• Same as above but inward-looking
– Top N email address(es) sending Email messages
– Top N email address(es) receiving Email messages
– Top N machines accessing web
– Top N targets identified in IDS alerts
– Top N IDS attacks identified
– %age of Email that is identified as spam
– %age of Email that contains blocked attachments
– %age of web traffic aimed at sites on porn blacklist
– %age of traffic aimed at sites on spy/adware
blacklist
– Top N porn-surfers
– Top N most-ad/spyware infected systems
– New machines that have served WWW/FTP/SMTP today
mjr.
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-19 03:38:36 |
Hi Chris,
First, you need to divide these logs in their
categories, as you may have firewall logs, mail logs,
auth logs, NIDS logs, etc ,etc.. You would need a lot
of top 5's for them all.
Second, I think that no security professional is
really interested in logs that are not correlated at
all. I
mean, just top fives will not give much information.
I think it would be interesting to see this data
based on severities and vulnerabilities (like most
severe alerts for the day). Just showing that 10 users
missed their passwords today do not bring anything to
the table, but showing that a brute force attack tried
20 passwords for 3 different users is more
meaninful (and would be in the top of the list). In
addtion to that, if we see this attack followed by
a successful login from the same source ip, we need
to increase even more the severity of it... With
these top 5's approach you would lose that.
A small list of things that I think are meaninful
(note that this list require the data to be
correlated and it is not really what you asked).
For authentication logs:
-Multiple failed logins for the same user from the
same source ip in a small period of time. It may
be a false positive, but may be not. Severity 5 (for
example)
-Multiple failed logins for multiple users from the
same source ip. Probably a brute force attack.
Severity 6.
-Multiple failed logins for multiple users, followed
by a successful login. Hum.. this may mean something.
Severity 8.
-Multiple success logins for the same user across
multiple systems. Severity 5.
-Sucessful logins during no work time. Severity 5.
-etc, etc, etc
For web logs:
-Multiple 400 error codes from same source ip (web
scan). Severity 5.
-Sucessful request for URLs containing commom web
attacks (like sql injection, directory transversal,
etc). Severity 8.
-Failed requests (error 40x) for URLs containing
commom web attacks. Severity 6..
-etc, etc, etc...
Well, hope I was able to make my point. Sorry for
any english mistakes too...
*Btw, I'm starting a document on some of the attacks
that we could detect with log analysis by monitoring
different types of logs. If anyone is interested on
adding some more information, the draft is bellow:
http://www.o
ssec.net/en/loganalysis.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
--- Chris Brenton <cbrentonchrisbrenton.org>
escreveu:
> Hey all,
>
> I'm involved with helping SANS organize the logging
> summit this July. As
> part of that, I was hit with a question that I
> thought could be best
> answered via feedback from the group.
>
> What do you feel are the top 5 reports a centralized
> log management
> system should provide?
>
> For example, a few I came up with:
>
> Authentication failures (Web, system access, VPNs,
> etc.)
> Access failures (HTTP scripts, recursion requests,
> etc.)
> Initialization of new/unknown processes
> Unexpected outbound traffic through the firewall
> (IRC, TFTP, SMTP, etc.)
>
> I would love to see a similar list from other folks
> on the list.
>
> Cheers,
> Chris
>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysislists.shmoo.com
> h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
>
_______________________________________________________
Yahoo! doce lar. Faça do Yahoo! sua homepage.
http://br.yahoo.
com/homepageset.html
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-19 04:16:37 |
Chris and all,
IMHO, there can't be a Top 5 list. To make it possible, you
have to
consider the role of the report recipient.
E.g.
Top 5 Reports for a SysAdmin
Top 5 Reports for a Security Analyst
Top 5 Reports for a CSO
And yes, I do have the lists - will send it later...
On 5/17/06, Chris Brenton <cbrentonchrisbrenton.org> wrote:
> Hey all,
>
> I'm involved with helping SANS organize the logging
summit this July. As
> part of that, I was hit with a question that I thought
could be best
> answered via feedback from the group.
>
> What do you feel are the top 5 reports a centralized
log management
> system should provide?
>
> For example, a few I came up with:
>
> Authentication failures (Web, system access, VPNs,
etc.)
> Access failures (HTTP scripts, recursion requests,
etc.)
> Initialization of new/unknown processes
> Unexpected outbound traffic through the firewall (IRC,
TFTP, SMTP, etc.)
>
> I would love to see a similar list from other folks on
the list.
>
> Cheers,
> Chris
>
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysislists.shmoo.com
> h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
>
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://www.securitywar
rior.com
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
| Which reports are most important? |
|
2006-05-19 06:28:06 |
Hi,
I haven't seen hardware problems in anyone's lists yet.
(Although it
would come under bottom 5 or unexpected messages). Failed
raid members
and the like...
--
Chris Edsall PGP KeyID 873A97AB <c.edsallniwa.co.nz>
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
|
|
[1-7]
|
|