Re: [Fwd: Logfiles]

From: Jose Nazario (joseat_private)
Date: Thu Aug 09 2001 - 22:25:34 PDT

Next message: Jose Nazario: "hacking logs"

Previous message: Ryan Hilton: "Re: [Fwd: Logfiles]"
In reply to: tcleary2at_private: "Re: [Fwd: Logfiles]"
Next in thread: W. Reilly Cooley, Esq.: "Re: [Fwd: Logfiles]"
Reply: W. Reilly Cooley, Esq.: "Re: [Fwd: Logfiles]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 10 Aug 2001 tcleary2at_private wrote:

> Maybe this is the wrong place to say this, but there is an effort
> afoot to standardise the output of IDS logs to make them more
> "transportable" ( the IDWG, a sub-committee of IETF - I believe the
> proposal is trundling along the road to RFC -dom as we speak )

heh ... i was thinking "CIDF" when i read this, and then i went to get
some references on it ... and sure enough, the same joke about standards
applies here. "i love standards, so many to chose from."

<self plug>i wrote a piece, to appear in the Sept, 2001 issue of SysAdmin
Magazine i thikn, on using 'awk' as a logfile analysis tool. one gets
pretty intimate with normal UNIX logging mechanisms when you have to
codify how you will process them, go cross platform (i covered BSD, Liux,
IRIX, HPUX and a bit of Solaris), and cover lots of data. i didn't even
get into any trending which would have been useful ... </plug>

CIDF, CLF, SVR4++ ... just a few. some references (i only pulled Bace's
"Intrusion Detection" off the shelf and did a few seconds of searching):

CIDF: common intrusion detection format
http://www.gidos.org/ has a lot of good links and info

IEDF: intrusion detection exchange format
part of the intrusion detection working group (IETF)
http://www.ietf.org/html.charters/idwg-charter.html
	** is IDEF the replacement for CIDF? ISTR that CIDF wasn't
	   comprehensive enough and a lot of data got lost .. **

CLF: common log format
we're most familiar with this as an HTTPd log format
http://weboffice-old.web.cern.ch/WebOffice-Old/Services/WWWlogfiles/CommonLogFormat.html

SVR4++: Common Audit Trail Interchange Format for UNIX
an older standard? mentioned a bit in this excellent, must read doc:
http://www.cerias.purdue.edu/homes/rgk/at.html

anhow, just a few references. i am sure that there are MANY more audit
trail and system log formats, these are just a few. i think the links
should help get you around to some others, too.

____________________________
jose nazario						     joseat_private
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Jose Nazario: "hacking logs"
Previous message: Ryan Hilton: "Re: [Fwd: Logfiles]"
In reply to: tcleary2at_private: "Re: [Fwd: Logfiles]"
Next in thread: W. Reilly Cooley, Esq.: "Re: [Fwd: Logfiles]"
Reply: W. Reilly Cooley, Esq.: "Re: [Fwd: Logfiles]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 22:32:06 PDT