Re: Tools to correlate attacks b/w diff. logs

From: Bryan Swann (swannat_private)
Date: Fri Jan 14 2000 - 10:37:16 PST

Next message: gstreetat_private: "linux NAT or portmapping"

Previous message: R. DuFresne: "Re: Tools to correlate attacks b/w diff. logs"
Maybe in reply to: Pete Storm: "Tools to correlate attacks b/w diff. logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This sounds just like the tool called swatch that has been around for
awhile.  It monitors the log files and has several ways to alert an
administrator when it gets a hit.

"R. DuFresne" wrote:
> 
> Abstract
> 
> Logcheck is software package that is designed to automatically run and
> check system log files for security violations and unusual activity.
> Logcheck utilizes a program called logtail that remembers the last
> position it read from in a log file and uses this position on subsequent
> runs to process new information. All source code is available for review
> and the implementation was kept simple to avoid problems. This package is
> a clone of the frequentcheck.sh script from the Trusted Information
> Systems Gauntlet(tm) firewall package. TIS has granted permission for me
> to clone this package.
> 
>                         -- crowlandat_private
> 
> http://www.lh.umu.se/%7Ebjorn/mhonarc-files/linux-securitity
> 
> Thanks,
> 
> Ron DuFresne
> 
> On Tue, 11 Jan 2000, Pete Storm wrote:
> 
> > Hi all,
> >
> > Does anyone know of a tool out there that will allow
> > me to correlate incidents between several different
> > logs?  For example, if I see an attempt to pull off a
> > php exploit on my IDS it stands to reason that I'll
> > see a similar log entry on my web server.  What I'm
> > looking for is something that will pull these two
> > records out of the individual logs and place them in
> > an "incident" log as a related event.
> >
> > The current problem is that we're talking about
> > hundreds of thousands of log entries.  Suppose I could
> > Perl it, but I was kinda hoping there might be a
> > commercial/shareware tool out there already that could
> > do it so much better than I could.
> >
> > thanks,
> > phs
> > __________________________________________________
> > Do You Yahoo!?
> > Talk to your friends online with Yahoo! Messenger.
> > http://im.yahoo.com
> >
> 
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior consultant:  darkstar.sysinfo.com
>                   http://darkstar.sysinfo.com
> 
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
> 
> testing, only testing, and damn good at it too!

-- 
- Bryan Swann (swannat_private)  843/974-4825   843/554-0015 (Fax)
- Eagan McAllister Associates, Inc.
-
- I don't suffer from insanity; I rather enjoy it.

Next message: gstreetat_private: "linux NAT or portmapping"
Previous message: R. DuFresne: "Re: Tools to correlate attacks b/w diff. logs"
Maybe in reply to: Pete Storm: "Tools to correlate attacks b/w diff. logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:53 PDT