Hi JJ, > > I'm not sure if this is the right place for this, but I'm giving it a shot anyway. > > I've got web traffic logs for our users. In a WFA case, I need to be able to pull an individual employee's activity out of our logs and categorize the sites visited by said soon-to-be-ex-employee by site type. For instance: > > safe-mail.net = Web-based email > google.com = Search site > foxnews.com = News > weather.com = Weather > whitehouse.com = Adult entertainment > > I know a lot of the filtering suites out there do this kind of categorization, but I just need a good, often-updated category list by domain name so that I can grab the connection request heading to an IP and do a rough categorization based on what that IP resolves to. > > I also want to roll this category list into our post-WFA forensic analysis procedures so I can give a categorized report along with the actual system and evidence images. > > Any ideas? > > I figure this roughly fits into the kind of work some of us do, a.k.a. > finding out what people do when they use our computers in ways that > aren't intended. I'm glad at least your question got through the moderator's scrutiny, perhaps mine won't. Not sure whether this is something you want to cope with, since you risk getting loads of false negatives. E.g. go anywhere these days, where you can download free pr0n, if you've got an account with plenty of free webspace available, you may get yourself a free subscription by just making available your webspace. Good for you and me, but for categorization this may mean you're getting 1 line for e.g. www.sexparty.tv - perhaps the user was tricked into this ? - followed by a series of users.skynet.be/~somebody/1.mpg etc files. It of course all depends upon the number of lines you're analysing, but even on relatively small sites (like the one I've been doing till the end of last year) you may have several millions of objects per day (lines). If you can correctly categorize a small amount of it, perfect... Suggestion: google for "Fabrice Prigent squidguard" and you'll find some hints kr= ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 17:11:50 PDT