On Fri, 10 Aug 2001, Tina Bird wrote: > > Things to look for in your Web server logs: > > 'default' may return too much. I usually use it with 'default.ida' and > 'default.idq'. To what end? If you want after-the-attempt info, it is pretty easy to match on a more specific string, and even differentiate the two major worms. If you're trying to detect heretofore unknown attempts (though again, after the fact, and hopfully you're not vulnerable to them) that is the only reason I can see for the general matching. I.e. you want anomaly detection. What I will do is update SIDS over the weekend, and make a post here, since we now have a very appropriate list. SIDS is a log reduction/anomaly detection tool that presently works with web logs, and hopefully more in the future. I'm looking forward to shamelessly using the list for soliciting feedback and feature requests. :) (All open-source stuff, of course.) Ryan --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 17:21:20 PDT