[logs] too many false alarms
Bennett Todd
bet at rahul.net
Thu Jan 24 16:46:55 PST 2008
2008-01-24T23:04:43 Jon Stearley:
> what false alarm rate do you tolerate for your current monitoring system?
Monitoring what?
How expensive is a false negative?
How often do real alerts come in?
Failed attacks on a successfully-hardened server, as long as you
know the accuracy rates you can deduce the stats which are all care
about.
If missed alerts are enormously expensive and alerts come in no
oftener that once a week, it could be that a 300% false positive
rate would still be fine.
If you're keeping a desk of 50 people racing full-time and are
neglecting real alarms because you can't keep up, a 2% false
positive might be worth a lot of engineering effort to tighten
things down that much more.
-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.loganalysis.org/pipermail/loganalysis/attachments/20080125/a6b0332b/attachment.bin
More information about the LogAnalysis
mailing list