We struggle with this as well. As far as LEM is concerned I don't have any rules to give out that would help. We have gone the route of setting up traps to alert us. So for example I want to be alerted to scanning attempts via burst rate threshold %733105. I would set up my SNMP trap via SAM that also logs it to LEM for archival purposes. Same way with our IDS system. In alot of cases we get tons of unmatched data so we don't use LEM exclusively for alerting in these instances. Canned nDepth searches Network Suspicious, Network Attack and Security Alerts have been helpful in identifying those anomalous events that occur. But there is no magic bullet. It's a constant back & forth of viewing log files, tweaking settings, and trying to leverage LEM for alerts. When it comes to network devices we definitely use LEM more as a log receptacle than an actual IDS/IPS device.
↧