[logs] SIM solution - Objectives ?

[Paul Melson]

> My preceeding comments should emphatically not be taken to mean that I
think you shouldn't log denies! 
> If it's worth denying, it's worth logging - and that's a fact. But in
today's environment, with all the 
> HTTP tunnelling crapware and malware, it's really really really important
to be looking at stuff like 
> "top permitted destinations" and things like that! In fact I strongly
recommend grabbing blacklists from 
> places like squidguard.org and joining your destinations of permitted HTTP
against the "spyware sites" 
> blacklist to produce lists of internal machines that are making calls out
to such sites. Useful?

Yes, but aren't you probably doing this already?  Most content filtering and
NIDS products do something like this out of the box because it's easy to
build and maintain.

My current favorite is looking through HTTP proxy requests for
/*.(.exe|.msi|.vbs|.bat|.cmd|.com)/ in the URL request field.  (If you do
HTTP header inspection in Check Point or PIX, you have this stuff, too.)  In
among the software updates and intentional program downloads you will also
find all of the malware/spyware/adware dropper downloads.  For monitoring
workstations for malware infections, this has proven to be fertile ground.
Correlating these results with IDS events for packed executable file
downloads or anti-virus detection events is also useful.

PaulM