Re: [logs] what is normal ?

• Previous message: Tom Perrine: "Re: [logs] Secure Central Log Host"
• Maybe in reply to: Ganu Skop: "[logs] what is normal ?"
• Next in thread: Dale.Drewat_private: "RE: [logs] what is normal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

did you have a database of "normal RFC" for analysing log 
(with logsurfer for me, plz :))

> Delivered-To: loganalysisat_private
> From: Ganu Skop <skopganuat_private>
> To: loganalysisat_private
> MIME-Version: 1.0
> Subject: [logs] what is normal ?
> X-BeenThere: loganalysisat_private
> X-Mailman-Version: 2.0.12
> List-Unsubscribe: <http://lists.shmoo.com/mailman/listinfo/loganalysis>, 
<mailto:loganalysis-requestat_private?subject=unsubscribe>
> List-Id: All things log-related <loganalysis.lists.shmoo.com>
> List-Post: <mailto:loganalysisat_private>
> List-Help: <mailto:loganalysis-requestat_private?subject=help>
> List-Subscribe: <http://lists.shmoo.com/mailman/listinfo/loganalysis>, 
<mailto:loganalysis-requestat_private?subject=subscribe>
> List-Archive: <http://lists.shmoo.com/pipermail/loganalysis/>
> Date: Mon, 28 Oct 2002 22:28:18 -0800 (PST)
> 
> can i make a conclusion that anything that is not in
> rfc is not normal ?
> 
> 
> --- Lubomir.Nistorat_private wrote:
> > it is good to know what is normal and what not, but
> > not many users (or
> > "security experts") know that.
> > but such log analysis requires lots of time and
> > research. I very much
> > doubt that there are many companies that have
> > sufficient people for the
> > job who have sufficient time to do research and
> > investigation (if you
> > know of any let me know as I'd like to work for
> > them)
> > 
> > windows is pretty painful for log analysis and from
> > the info in sec
> > eventlog you can't judge if it's an attack or just a
> > misbehavior.
> > Therefore the list is very useful to have, as people
> > don't have to
> > reinvent the wheel and solve the prob much sooner.
> > 
> > 
> > lubo
> > 
> > -----Ursprüngliche Nachricht-----
> > Von: Ganu Skop [mailto:skopganuat_private]
> > Gesendet: Mittwoch, 23. Oktober 2002 08:01
> > An: WindexKing; loganalysisat_private
> > Betreff: Re: [logs] Fight Back
> > 
> > 
> > 
> > I'm pretty much depend on looking for what is not
> > normal (!=normal) so that I could be able to define
> > if
> > there is an attack or recon or etc.
> > Isn't that good if someone have s'thing like what is
> > normal and what is not normal ?
> > 
> > 
> > --- WindexKing <WindexKing@mor-lan-d.com> wrote:
> > > 
> > > > --- Ganu Skop <skopganuat_private> wrote:
> > > >>I really would love to know what tool the
> > >  >>intruder used. any idea ?
> > > 
> > > I'm interested in something which I think
> > > is at least slightly similar.
> > > 
> > > I spend a fair bit of time doing OS log
> > > analysis mostly for NT/W2K servers. One
> > > of the things I've been doing is trying
> > > to build up a list of scenarios which
> > > cause "attack" patterns within the Sec
> > > Logs.
> > > 
> > > Although, I'm wondering if such a list is
> > > a good idea. I'd appreciate any feedback
> > > from the list about the potential benefits
> > > or drawbacks of such a list.
> > > 
> > > W 
> > > K
> > > 
> > > 
> > > 
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > LogAnalysis mailing list
> > > LogAnalysisat_private
> > >
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Y! Web Hosting - Let the expert host your web site
> > http://webhosting.yahoo.com/
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> >  
> >  
> > 
> >
> ***********************************************************
> > 
> > Oktober-Aktion bei STAR 21 NETWORKS 
> >
> ***********************************************************
> > 
> > 
> > INTERNET ACCESS 3 und 6 Mbit/s vier Wochen gratis
> > 
> > STAR 21 NETWORKS bietet allen Kunden, die sich im
> > Monat
> > Oktober für 3 oder 6 Mbit/s INTERNET ACCESS von
> > STAR 21 NETWORKS entscheiden, die ersten vier Wochen
> > Nutzung gratis.
> > 
> > Alle weiteren Infos zu dieser Aktion unter: 
> > www.star21networks.de
> > <http://www.star21networks.de/> , infoat_private
> > <mailto:infoat_private>  oder ueber
> > unsere Service Hotline Tel. 0 800 - 1 00 73 40.
> > 
> > 
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
> 
> =====
> //skopganu
> 
> __________________________________________________
> Do you Yahoo!?
> HotJobs - Search new jobs daily now
> http://hotjobs.yahoo.com/
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

Regards			CETELEM - Equipe système Unix / Xnet.  [2-2329]
Eric Vanborren		20 av. Georges Pompidou - 92595 Levallois Perret - 
FRANCE
			Tél: +33 1.46.39.2329 - e-mail: admxnetat_private
		May The OpenSource be with you !

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Dale.Drewat_private: "RE: [logs] what is normal ?"
• Previous message: Tom Perrine: "Re: [logs] Secure Central Log Host"
• Maybe in reply to: Ganu Skop: "[logs] what is normal ?"
• Next in thread: Dale.Drewat_private: "RE: [logs] what is normal ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 10:23:44 PST