It's so easy, it's like falling off a log....
Intrusion Detection and Analysis seems pretty complex. You're tracing and trailing someone who doesn't want to be seen or caught. It's the old cat and mouse game in cyberspace.
At first glance it seems really hard. You have to wade through mounds of information. The sheer amount of data that must be sifted to weed out the signal from the noise (or anomaly from the normal traffic) is enough to make you babble about needles in haystacks.
So I started reading... (big surprise, eh?) And now the fog is lifting. It's really not that hard at all - if you know what you're looking for... [As a friend says, "everything's easy once you know how to do it."]
In a nutshell, you have to know logs. Yeah...that really boring stuff. Those files that keep piling up that you keep ignoring. Beautiful logs.
It's always the simplest thing that ends up being most crucial. I remember years ago when I first read the O'Reilly book on NT Event Logging. I chided myself for being such a geek. But, I knew those logs were important. I knew they had a story to tell. What I didn't know was that once you get them talking, they never shut up!
And I also remember looking through raw web logs. I learned their format because of my desire to know more about web visit statistics. I learned how to use various web stat software packages to pull the information I wanted out of those long and confusing files. Now, I'm just looking to pull different information...
So now I have to master logs. I have to know where they're kept for each application/protocol of interest. I have to know their format. And most importantly -- I have to know how to mine them for "interesting events."
It's always a sweet surprise when you find out that you already know how to do something...and just need to delve a little deeper to own it.
Posted by BlueWolf on July 12, 2004 08:08 PM