OSCON 4.6: Overall Data Management Strategies -- What Security Logs Do You Look At and Why?

by Geoff Broadwell

Related link: http://conferences.oreillynet.com/cs/os2005/view/e_sess/6411

I'm not entirely sure what to say about this talk. I was a bit disappointed because the talk was considerably more high-level than I had hoped it would be. To be fair, the main title indicates a high-level view, but I was seduced by the rather detailed-sounding subtitle.

Certainly, he did list a number of useful tools for network security monitoring:

  • Snort (of course) for signature-based IDS

  • Snort perfmonitor for overall network health charts (and with perfmon-graph, RRD graphs)

  • BASE or ACID for Snort data display

  • Bro for application logging

  • ELOG for team coordination

  • WebSVN for RSS feeds of configuration changes for change management

  • tcpdstats for statistical analysis of tcpdump captures

  • dshield.org, AlertCon, and ITR (Internet Traffic Report) to get an overall view of Internet attack patterns

He also had a couple general tips:

  • Use a central log aggregator/analyzer (known as an Enterprise Security Manager, or ESM). This will allow cross-tool analysis of patterns, and give the security team just one UI to monitor.

  • Watch how hard the central log DB is being hammered. Sometimes a sudden spike in the volume of log entries is your first clue that something is very wrong in your network.

  • Poison your own DNS for fun and profit. Make malware callbacks, popup ad generators, sites that employees are not allowed to access, and so forth, hit an internal website instead of their usual destination. That site should send back appropriate messages to the user and advise them to contact the network security team if they feel they received the message in error, or think their system may be infected.

  • Don't just rely on signature-based IDS; use a behavioral (network flow-based) IDS tool as well.

Generally good advice. As I said, my biggest complaint was that I wanted more detail of this sort: "You have to cross check this log against this other log, because either one can be individually spoofed but it's hard to spoof both simultaneously." That's probably a lot more detail than could fit in 45 minutes, I suppose.

What network security logging, analysis, and reporting tools do you use?