Re: [logs] what is normal ?

From: Eric Vanborren (eric.vanborrenat_private)
Date: Tue Oct 29 2002 - 10:00:14 PST

  • Next message: Dale.Drewat_private: "RE: [logs] what is normal ?"

    did you have a database of "normal RFC" for analysing log 
    (with logsurfer for me, plz :))
    
    > Delivered-To: loganalysisat_private
    > From: Ganu Skop <skopganuat_private>
    > To: loganalysisat_private
    > MIME-Version: 1.0
    > Subject: [logs] what is normal ?
    > X-BeenThere: loganalysisat_private
    > X-Mailman-Version: 2.0.12
    > List-Unsubscribe: <http://lists.shmoo.com/mailman/listinfo/loganalysis>, 
    <mailto:loganalysis-requestat_private?subject=unsubscribe>
    > List-Id: All things log-related <loganalysis.lists.shmoo.com>
    > List-Post: <mailto:loganalysisat_private>
    > List-Help: <mailto:loganalysis-requestat_private?subject=help>
    > List-Subscribe: <http://lists.shmoo.com/mailman/listinfo/loganalysis>, 
    <mailto:loganalysis-requestat_private?subject=subscribe>
    > List-Archive: <http://lists.shmoo.com/pipermail/loganalysis/>
    > Date: Mon, 28 Oct 2002 22:28:18 -0800 (PST)
    > 
    > can i make a conclusion that anything that is not in
    > rfc is not normal ?
    > 
    > 
    > --- Lubomir.Nistorat_private wrote:
    > > it is good to know what is normal and what not, but
    > > not many users (or
    > > "security experts") know that.
    > > but such log analysis requires lots of time and
    > > research. I very much
    > > doubt that there are many companies that have
    > > sufficient people for the
    > > job who have sufficient time to do research and
    > > investigation (if you
    > > know of any let me know as I'd like to work for
    > > them)
    > > 
    > > windows is pretty painful for log analysis and from
    > > the info in sec
    > > eventlog you can't judge if it's an attack or just a
    > > misbehavior.
    > > Therefore the list is very useful to have, as people
    > > don't have to
    > > reinvent the wheel and solve the prob much sooner.
    > > 
    > > 
    > > lubo
    > > 
    > > -----Ursprüngliche Nachricht-----
    > > Von: Ganu Skop [mailto:skopganuat_private]
    > > Gesendet: Mittwoch, 23. Oktober 2002 08:01
    > > An: WindexKing; loganalysisat_private
    > > Betreff: Re: [logs] Fight Back
    > > 
    > > 
    > > 
    > > I'm pretty much depend on looking for what is not
    > > normal (!=normal) so that I could be able to define
    > > if
    > > there is an attack or recon or etc.
    > > Isn't that good if someone have s'thing like what is
    > > normal and what is not normal ?
    > > 
    > > 
    > > --- WindexKing <WindexKing@mor-lan-d.com> wrote:
    > > > 
    > > > > --- Ganu Skop <skopganuat_private> wrote:
    > > > >>I really would love to know what tool the
    > > >  >>intruder used. any idea ?
    > > > 
    > > > I'm interested in something which I think
    > > > is at least slightly similar.
    > > > 
    > > > I spend a fair bit of time doing OS log
    > > > analysis mostly for NT/W2K servers. One
    > > > of the things I've been doing is trying
    > > > to build up a list of scenarios which
    > > > cause "attack" patterns within the Sec
    > > > Logs.
    > > > 
    > > > Although, I'm wondering if such a list is
    > > > a good idea. I'd appreciate any feedback
    > > > from the list about the potential benefits
    > > > or drawbacks of such a list.
    > > > 
    > > > W 
    > > > K
    > > > 
    > > > 
    > > > 
    > > > 
    > > > 
    > > > 
    > > > _______________________________________________
    > > > LogAnalysis mailing list
    > > > LogAnalysisat_private
    > > >
    > > http://lists.shmoo.com/mailman/listinfo/loganalysis
    > > 
    > > 
    > > __________________________________________________
    > > Do you Yahoo!?
    > > Y! Web Hosting - Let the expert host your web site
    > > http://webhosting.yahoo.com/
    > > _______________________________________________
    > > LogAnalysis mailing list
    > > LogAnalysisat_private
    > > http://lists.shmoo.com/mailman/listinfo/loganalysis
    > >  
    > >  
    > > 
    > >
    > ***********************************************************
    > > 
    > > Oktober-Aktion bei STAR 21 NETWORKS 
    > >
    > ***********************************************************
    > > 
    > > 
    > > INTERNET ACCESS 3 und 6 Mbit/s vier Wochen gratis
    > > 
    > > STAR 21 NETWORKS bietet allen Kunden, die sich im
    > > Monat
    > > Oktober für 3 oder 6 Mbit/s INTERNET ACCESS von
    > > STAR 21 NETWORKS entscheiden, die ersten vier Wochen
    > > Nutzung gratis.
    > > 
    > > Alle weiteren Infos zu dieser Aktion unter: 
    > > www.star21networks.de
    > > <http://www.star21networks.de/> , infoat_private
    > > <mailto:infoat_private>  oder ueber
    > > unsere Service Hotline Tel. 0 800 - 1 00 73 40.
    > > 
    > > 
    > > _______________________________________________
    > > LogAnalysis mailing list
    > > LogAnalysisat_private
    > > http://lists.shmoo.com/mailman/listinfo/loganalysis
    > 
    > 
    > =====
    > //skopganu
    > 
    > __________________________________________________
    > Do you Yahoo!?
    > HotJobs - Search new jobs daily now
    > http://hotjobs.yahoo.com/
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    > http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    Regards			CETELEM - Equipe système Unix / Xnet.  [2-2329]
    Eric Vanborren		20 av. Georges Pompidou - 92595 Levallois Perret - 
    FRANCE
    			Tél: +33 1.46.39.2329 - e-mail: admxnetat_private
    		May The OpenSource be with you !
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 10:23:44 PST