[logs] Analyzing tons of logs
Bamm Visscher
bamm.visscher at gmail.com
Fri Mar 30 07:11:43 PDT 2007
Sguil isn't well suited for doing post-analysis of data that wasn't
collected using one of its "collection agents" (firewall logs aren't
supported at all) . You mentioned you have tons of pcap data though,
so if you wanted to use Sguil, you could replay that data through a
Sguil sensor and it would build the approriate data types. I expect
that would be a lot of work based on the amount of data mentioned, so
unless you are involved in an incident response engagement, I am not
sure it'd be worth it. If you are currently involved in an IR
engagement, then I expect pushing the data back through Sguil would be
very useful since it provides the means to query flow/session data and
then analyze the packet captures associated with each flow.
Your original question is a bit of an odd one. You mention you have a
"ton of logs" but only really two different types, raw pcap and
firewall logs. Pcap data isn't usually considered "log data" since
you can't use a log analysis tool (SIM/SEM) to analyze it directly. I
personally find firewall logs fairly useless by themselves, especially
when configured to only log when access is denied.
If you are interested in implementing security monitoring from the
network level, I think installing Sguil now is worth taking a look at
(in my biased opinion), especially if your focus is on the future.
Bammkkkk
On 3/29/07, Chetan Gupta <chetangupta01 at gmail.com> wrote:
> Dear list members,
> Thanks a lot for your wonderful insights on this topic. I've noted down all
> the points mentioned and am gonna try out the various solutions
> suggested.Precisely, I am gonna try and lay my hands on the following tools
> in the coming weeks:
>
>
> OSSIM
> Manageengine adventnet
> Splunk
> LogppI would post regarding my experience with these tools.
> How about sguil? Thats an NSM tool I guess. Has any one tried it?
>
> Can anyone suggest some good repositories for sample logs containing some
> attacks. I know I could get some from honeynet.org site or loganalysis.org.
> Any other aprt from these two?
> Thanks again,
>
> --
> Chetan Gupta ENCE, GCIA, GCFA, CEH, CCNA, CIW Sec. Analyst
> Forensic Consultant
>
> Mobile: +91 9810718489
> ------------------------------------------------------
> Online Computer Forensics Magazine
> http://www.niiconsulting.com/checkmate
> ------------------------------------------------------
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>
--
sguil - The Analyst Console for NSM
http://sguil.sf.net
More information about the LogAnalysis
mailing list