On Tue, Sep 09, 2003 at 03:16:08PM -0700, Ben Barrett wrote: > On a related note, I just read a review for Omnisight, an enterprise > log-file analysis framework, in the Sept. 1 InfoWorld (free sub), and > was flabberghasted. They go on about the impressive performance of the > system, which costs a mere $124K, but don't mention the specs of the > system they run their huge queries on. The framework inserts logs into > SQL, where analysis is easy (as SQL allows, at least). What bugs me is > that this seems like nothing -- it requires significant development to I'm sure it is nothing. They charge that much because they believe people will pay it. People will pay it because they don't know any better, because they are being marketed to about some big time solution. They will pay that much because people inherently believe that a product with such a high price tag must be darn good, and do a lot. We paid a high price tag for such a product. What we got was a pretty lame product. It took OSS for us to realize that price has no relation to quality, functionality, security or performance. For the suckers that pay that price tag, they have some more lessons to learn.
> much. It does seem to offer, built in to the "framework", > cluster-friendly management and reporting... but gah, the basics seem so Sure, framework, let's see ha-linux, postgresql, raid. > It has a lot to do with education, of course; Yes, education that 1) we can and should expect programs and computers to work in a certain way, like OSS does and much MS software does not, 2) price has no relation to the above list, 3) OSS is cool. > Now for a fun story, slightly related: While observing the network > operations at burning man roughly a week and a half ago, there were some > problems, which were somewhat mysterious (Clif might clarify, though) -- > someone had some kind of virus or worm on their windows system which > somehow damaged the [debian] router's ability to maintain TCP routing; > although UDP kept working fine, so the VoIP phones kept working > perfectly. Based on this information, I would say the windows machine probably had MSBlaster, Welchia or a variant and the debian router had it's state table filled to overflowing. There is no state in UDP. VoIP and other realtime media protocols usually use UDP because it is not reliable and they don't want every packet to get there. They want the packets on time or not at all, no delays as allowed in TCP. For a nat router it requires state. A worm like Welchia (which I had on my network a few weeks ago) tries to ping 65,536 ip addresses within about 20 minutes, looking for machines to infect. Waits a little while, then tries again with a new set of ips. I don't know about autodetection and autodefense around it. I suppose snort might do something, but that isn't an area that I've learned about yet. I discovered it with tcpdump. I then alleviated the sitation by entering in a firewall rule that disabled ICMP from that machine going out to the internet. If I were there, I'd do something similar: tcpdump, then manually modify some firewall rules. > Thanks for putting up with another lengthy post, gaaah Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
