I may have missed the first half of this, but have you looked at logcheck www.psionic.com? Does just that, in a nicely organized fashion, and you get the file-with-patterns filled in w/ standard worry marks, to which you can add your own. Nice, slick and just a big shell script. a Andy Bach, Sys. Mangler Internet: andy_bachat_private VOICE: (608) 261-5738 FAX 264-5030 Dave Dittrich <dittrichat_private> 01/16/02 03:36 PM To: "Crow, Owen" <Owen_Crowat_private> cc: "'Ryan Barnett'" <RCBarnettat_private>, <forensicsat_private> Subject: RE: Using SWATCH for Forensic Analysis of VMware$DD images > vs. a simple script: > > #!/bin/sh > egrep -i '/rootkit|root kit|hack| irc | bot |sniff|backdoor|back > door|promisc|knark|hax0r|hide|trojan|virus|TFN2K|adore|LKM|attack|denial-of- > service|ddos|brute force|0wn/i' "$@" | \ > strings >> /images/grep_honeypot.txt Even easier, try "fgrep -f file-with-patterns" and list all the patterns you want. See "man fgrep". -f FILE, --file=FILE Obtain patterns from FILE, one per line. The empty file contains zero patterns, and therfore matches nothing. -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 09:27:00 PST