RE: [logs] RE: NT Event Log and Web Server Attacks

• Previous message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OK, we can make this available public as it looks. We've put up an
internal tester, far from being complete or comprehensive. Even the
database has more or less some event headings plus the indication that
they are "todo". Anyhow, I post it here so that those out here can tell
me if they would find this thing useful - provided the fact, of course,
that it includes more complete and more information at all. The link is:

    http://www.monitorware.com/en/events/

The 532 event on top has some more information. Also, envision that
descriptions like the one that started this thread will probably be
included.  It is intended to have not only Windows Events. Next on the
list is Cisco PIX. Others to come and contributors are very welcome ;)

Any feedback is appreciated, but please keep in mind that this is FAR
from being "production quality".

Rainer

> -----Original Message-----
> From: Rainer Gerhards 
> Sent: Monday, January 20, 2003 1:56 PM
> To: H C; Noah White; Eric Fitzgerald; loganalysisat_private
> Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
> Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
> 
> 
> Actually,
> 
> We had started an internal project on the structure and 
> information contained in the Windows Event Logs. My "web 
> server attack" posting was related to this stuff. We are 
> trying to formalize a listing of all those events that (at 
> least we) think are meaningful and the parameters they have. 
> We intend to use this information than later on in the 
> analysis engine, which can provide better correlation if it 
> is nicely formatted. Of course, when our agents emit an even 
> more structured event record, other analysis can also benefit ;)
> 
> I will see if we can make the project public, but I think so. 
> As I said, it is currently in its starting stage, so 
> information is very limited. So far more or less pointers to 
> things that we intend to look deeper into...
> 
> If I can make it public, I'll post the URL over here. 
> 
> Rainer
> 
> > -----Original Message-----
> > From: H C [mailto:keydet89at_private]
> > Sent: Sunday, January 19, 2003 8:18 PM
> > To: Noah White; 'Eric Fitzgerald'; Rainer Gerhards; 
> > loganalysisat_private
> > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
> > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
> > 
> > 
> > Noah,
> > 
> > Care to share this document you found?  It might be
> > helpful to everyone.
> > 
> > Thanks,
> > 
> > Carv
> > 
> > --- Noah White <nwhiteat_private> wrote:
> > > 
> > > One suggestion which comes to mind would be to make 
> available a full
> > > accounting of all Windows/Microsoft produced event
> > > IDs, their sources, what
> > > they mean etc.
> > > 
> > > I have found a nice document on the security log and 
> security event 
> > > ids, however it has been impossible to find this
> > > information for other event logs
> > > (Directory services, File replication, DNS etc).  In 
> > particular in the
> > > case of active directory one is publicly unavailable.
> > > 
> > > ---
> > > Noah White
> > > mailto://<nwhiteat_private>
> > > SilverBack Technologies Inc.	
> > > http://www.silverbacktech.com
> > > 
> > > 
> > > > -----Original Message-----
> > > > From: Eric Fitzgerald
> > > [mailto:ericfat_private]
> > > > Sent: Friday, January 17, 2003 3:00 PM
> > > > To: H C; Rainer Gerhards;
> > > loganalysisat_private
> > > > Cc: Tina Bird; Marcus J. Ranum;
> > > probertsat_private; Ben Laurie
> > > > Subject: RE: [logs] RE: NT Event Log and Web
> > > Server Attacks
> > > > 
> > > > > -----Original Message-----
> > > > > From: H C [mailto:keydet89at_private]
> > > > > Sent: Friday, January 17, 2003 11:27 AM
> > > > > To: Rainer Gerhards; loganalysisat_private
> > > > > Cc: Tina Bird; Marcus J. Ranum;
> > > probertsat_private; Ben Laurie; Eric
> > > > Fitzgerald
> > > > > Subject: RE: [logs] RE: NT Event Log and Web
> > > Server Attacks
> > > > 
> > > > > I just think that due to the obscurity of the
> > > > > EventLog, particularly on NT and 2K platforms,
> > > this
> > > > > can be a bit more trouble than it's worth.
> > > > 
> > > > I would be very interested in hearing any
> > > suggestions on how to improve
> > > > the ability to analyze the Windows security log.
> > > I've explained why some
> > > > of the events seem to be "missing" information
> > > even though the
> > > > information is really in the log, and Microsoft's
> > > strategy moving
> > > > forward, but if you have other suggestions then I
> > > would be very open to
> > > > hearing them.
> > > 
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private 
> http://lists.shmoo.com/mailman/listinfo/logana> lysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Harry Hoffman: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"
• Previous message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Maybe in reply to: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"
• Next in thread: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Reply: Frank O'Dwyer: "RE: [logs] RE: NT Event Log and Web Server Attacks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 14:21:45 PST