[WEB SECURITY] Web app log monitoring
caruabertu at gmail.com
Tue Dec 2 04:30:37 EST 2008
Dear Mr Folini
In the mid-1980s, we used to say that artificial intelligence is better than
natural stupidity. Now artificial ignorance seems to be the rage!
Humour apart, *well-fed* Bayesian methods may be useful - collect data and
tell your system what is useful and what is not, ask it to alert when
unusual events or changes in behaviour occur. you would have to combine it
with "voyeur" methods to detect stealth attacks - look for long term repeats
of similar events. well-fed is critical. The Bayesian method means that you
assume something when you see it first time around.
The first Bayesian" conclusion is thus usually pure guesswork and has at
best a 50/50 chance of being correct so you need to teach your system as it
collects data for a long time and again every time when new events happen
for it to be reliable. Hence the requirement for "feeding" your pet Bayesian
I believe the little neural network on top of your neck, which is expert at
detecting anomalies, does not work in bayesian way but as follows:
continuous observation, recognition and recording of patterns, not events,
and very sensitive detection of variations in the patterns.
*A better approach* could thus be to use massive parallel processing and
develop a system to "get the buzz" of what is happening so that it can
detect changes in colour(frequency) and intensity of the buzz without really
knowing what is going on.
There is at least one interesting newsfeed on visualisation of network
From: christian.folini at post.ch [mailto:christian.folini at post.ch]
Sent: 02 December 2008 07:29
To: c.mccown at intel.com; websecurity at webappsec.org
Subject: [WEB SECURITY] AW: Web app log monitoring - what to look for and
how often to look for it
I believe you have to use a technique called "Artificial Ignorance". A term
coined by Marcus
Ranum. He describes it as "a process whereby you throw away the log entries
you know aren't interesting".
I am currently playing around with SEC, the Simple Event Correlator which is
handy to perform
this kind of action and correlates what is left afterwards. Some operation
security folks say, they want to see stats on the important things. Like an
As for alarmin, I think you want realtime. Otherwise you give away a lot of
Von: McCown, Christian M [mailto:c.mccown at intel.com]
Gesendet: Montag, 1. Dezember 2008 23:48
An: websecurity at webappsec.org
Betreff: [WEB SECURITY] Web app log monitoring - what to look for and how
often to look for it
We all pretty much agree that logging and monitoring are a core part of
defense in depth. Minimally, as good practice, we're logging
authentication/access requests, key transactions, and in certain cases
probably well known attack strings, etc.
Q: What are security folks looking for in their web application logs (web
server, app server, etc.) and how often are you looking for it?
Understand this is a broad question with many ways to slice it so open to
Or, in lieu of a long thread, are there already documented resources out
there. Have checked sources like OWASP, SANS Reading Room, and several web
application hacking books. I could probably string things together, but was
hoping someone or some group has already done this.
Chris McCown, GSEC(Gold), GWAS
* c.mccown at intel.com <mailto:c.mccown at intel.com>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity