[logs] open source artificial ignorance-like systems
James Turnbull
james at lovedthanlost.net
Tue Apr 17 18:05:43 PDT 2007
Anton Chuvakin wrote:
> Hmm, what's wrong with "grep -v" for artificial ignorance?
>
>> Like always ignore xyz.*,
>> ignore abcd.* unless it happens more than X times in Y time frame
>
> Well, SEC can do this one ...
>
> Also, I wouldn't blindly auto-populate the library of things to ignore
> - just because something happens 5000 times the first time it does,
> doesn't mean its benign :-)
I second the recommendation for SEC. It will more than adequately take
care of these requirements. I also second the concept of using
thresholding for ignoring messages rather than generically ignoring a
particular message.
http://www.estpak.ee/~risto/sec/
Regards
James Turnbull
--
James Turnbull <james at lovedthanlost.net>
---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.loganalysis.org/pipermail/loganalysis/attachments/20070418/84b5a5a7/signature.bin
More information about the LogAnalysis
mailing list