Actually, We had started an internal project on the structure and information contained in the Windows Event Logs. My "web server attack" posting was related to this stuff. We are trying to formalize a listing of all those events that (at least we) think are meaningful and the parameters they have. We intend to use this information than later on in the analysis engine, which can provide better correlation if it is nicely formatted. Of course, when our agents emit an even more structured event record, other analysis can also benefit ;) I will see if we can make the project public, but I think so. As I said, it is currently in its starting stage, so information is very limited. So far more or less pointers to things that we intend to look deeper into... If I can make it public, I'll post the URL over here. Rainer > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Sunday, January 19, 2003 8:18 PM > To: Noah White; 'Eric Fitzgerald'; Rainer Gerhards; > loganalysisat_private > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks > > > Noah, > > Care to share this document you found? It might be > helpful to everyone. > > Thanks, > > Carv > > --- Noah White <nwhiteat_private> wrote: > > > > One suggestion which comes to mind would be to make > > available a full > > accounting of all Windows/Microsoft produced event > > IDs, their sources, what > > they mean etc. > > > > I have found a nice document on the security log and > > security event ids, > > however it has been impossible to find this > > information for other event logs > > (Directory services, File replication, DNS etc). In > particular in the > > case of active directory one is publicly unavailable. > > > > --- > > Noah White > > mailto://<nwhiteat_private> > > SilverBack Technologies Inc. > > http://www.silverbacktech.com > > > > > > > -----Original Message----- > > > From: Eric Fitzgerald > > [mailto:ericfat_private] > > > Sent: Friday, January 17, 2003 3:00 PM > > > To: H C; Rainer Gerhards; > > loganalysisat_private > > > Cc: Tina Bird; Marcus J. Ranum; > > probertsat_private; Ben Laurie > > > Subject: RE: [logs] RE: NT Event Log and Web > > Server Attacks > > > > > > > -----Original Message----- > > > > From: H C [mailto:keydet89at_private] > > > > Sent: Friday, January 17, 2003 11:27 AM > > > > To: Rainer Gerhards; loganalysisat_private > > > > Cc: Tina Bird; Marcus J. Ranum; > > probertsat_private; Ben Laurie; Eric > > > Fitzgerald > > > > Subject: RE: [logs] RE: NT Event Log and Web > > Server Attacks > > > > > > > I just think that due to the obscurity of the > > > > EventLog, particularly on NT and 2K platforms, > > this > > > > can be a bit more trouble than it's worth. > > > > > > I would be very interested in hearing any > > suggestions on how to improve > > > the ability to analyze the Windows security log. > > I've explained why some > > > of the events seem to be "missing" information > > even though the > > > information is really in the log, and Microsoft's > > strategy moving > > > forward, but if you have other suggestions then I > > would be very open to > > > hearing them. > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 09:50:42 PST