[WEB SECURITY] Web app log monitoring

[Albert]

Dear Mr Folini


In the mid-1980s, we used to say that artificial intelligence is better than
natural stupidity. Now artificial ignorance seems to be the rage!


Humour apart, *well-fed* Bayesian methods may be useful - collect data and
tell your system what is useful and what is not, ask it to alert when
unusual events or changes in behaviour occur. you would have to combine it
with "voyeur" methods to detect stealth attacks - look for long term repeats
of similar events. well-fed is critical. The Bayesian method means that you
assume something when you see it first time around.

The first Bayesian" conclusion is thus usually pure guesswork and has at
best a 50/50 chance of being correct so you need to teach your system as it
collects data for a long time and again every time when new events happen
for it to be reliable. Hence the requirement for "feeding" your pet Bayesian
filter.


I believe the little neural network on top of your neck, which is expert at
detecting anomalies, does not work in bayesian way but as follows:
continuous observation, recognition and recording of patterns, not events,
and very sensitive detection of variations in the patterns.


*A better approach* could thus be to use massive parallel processing and
develop a system to "get the buzz" of what is happening so that it can
detect changes in colour(frequency) and intensity of the buzz without really
knowing what is going on.


There is at least one interesting newsfeed on visualisation of network
traffic.

http://secviz.org/rss.xml


----Original Message-----

From: christian.folini at post.ch [mailto:christian.folini at post.ch]
Sent: 02 December 2008 07:29
To: c.mccown at intel.com; websecurity at webappsec.org
Subject: [WEB SECURITY] AW: Web app log monitoring - what to look for and
how often to look for it



Hey Chris,



I believe you have to use a technique called "Artificial Ignorance". A term
coined by Marcus

Ranum. He describes it as "a process whereby you throw away the log entries
you know aren't interesting".



I am currently playing around with SEC, the Simple Event Correlator which is
handy to perform

this kind of action and correlates what is left afterwards. Some operation
security folks say, they want to see stats on the important things. Like an
hourly report.



As for alarmin, I think you want realtime. Otherwise you give away a lot of
possible benefit.



Cheers,



Christian



________________________________



Von: McCown, Christian M [mailto:c.mccown at intel.com]

Gesendet: Montag, 1. Dezember 2008 23:48

An: websecurity at webappsec.org

Betreff: [WEB SECURITY] Web app log monitoring - what to look for and how
often to look for it







We all pretty much agree that logging and monitoring are a core part of
defense in depth.   Minimally, as good practice, we're logging
authentication/access requests, key transactions, and in certain cases
probably well known attack strings, etc.



Q:  What are security folks looking for in their web application logs (web
server, app server, etc.) and how often are you looking for it?



Understand this is a broad question with many ways to slice it so open to
different paths.



Or, in lieu of a long thread, are there already documented resources out
there.  Have checked sources like OWASP, SANS Reading Room, and several web
application hacking books.  I could probably string things together, but was
hoping someone or some group has already done this.



Thanks





____

Chris McCown, GSEC(Gold), GWAS

Intel Corporation

* c.mccown at intel.com <mailto:c.mccown at intel.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20081202/8e7f6fd5/attachment.html>