RE: [logs] RE: NT Event Log and Web Server Attacks

From: Frank O'Dwyer (fodat_private)
Date: Mon Jan 20 2003 - 14:31:43 PST

  • Next message: Mikael Olsson: "Re: [logs] How are people bringing DMZ syslog msgs into the central server?"

    Rainer,
    
    Are these codes the same across the various Windows versions, or which
    versions have you investigated?
    
    Cheers,
    Frank.
    
    > -----Original Message-----
    > From: loganalysis-adminat_private
    > [mailto:loganalysis-adminat_private]On Behalf Of Rainer Gerhards
    > Sent: 20 January 2003 19:49
    > To: Rainer Gerhards; H C; Noah White; Eric Fitzgerald;
    > loganalysisat_private
    > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
    > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    >
    >
    > OK, we can make this available public as it looks. We've put up an
    > internal tester, far from being complete or comprehensive. Even the
    > database has more or less some event headings plus the indication that
    > they are "todo". Anyhow, I post it here so that those out here can tell
    > me if they would find this thing useful - provided the fact, of course,
    > that it includes more complete and more information at all. The link is:
    >
    >     http://www.monitorware.com/en/events/
    >
    > The 532 event on top has some more information. Also, envision that
    > descriptions like the one that started this thread will probably be
    > included.  It is intended to have not only Windows Events. Next on the
    > list is Cisco PIX. Others to come and contributors are very welcome ;)
    >
    > Any feedback is appreciated, but please keep in mind that this is FAR
    > from being "production quality".
    >
    > Rainer
    >
    > > -----Original Message-----
    > > From: Rainer Gerhards
    > > Sent: Monday, January 20, 2003 1:56 PM
    > > To: H C; Noah White; Eric Fitzgerald; loganalysisat_private
    > > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
    > > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    > >
    > >
    > > Actually,
    > >
    > > We had started an internal project on the structure and
    > > information contained in the Windows Event Logs. My "web
    > > server attack" posting was related to this stuff. We are
    > > trying to formalize a listing of all those events that (at
    > > least we) think are meaningful and the parameters they have.
    > > We intend to use this information than later on in the
    > > analysis engine, which can provide better correlation if it
    > > is nicely formatted. Of course, when our agents emit an even
    > > more structured event record, other analysis can also benefit ;)
    > >
    > > I will see if we can make the project public, but I think so.
    > > As I said, it is currently in its starting stage, so
    > > information is very limited. So far more or less pointers to
    > > things that we intend to look deeper into...
    > >
    > > If I can make it public, I'll post the URL over here.
    > >
    > > Rainer
    > >
    > > > -----Original Message-----
    > > > From: H C [mailto:keydet89at_private]
    > > > Sent: Sunday, January 19, 2003 8:18 PM
    > > > To: Noah White; 'Eric Fitzgerald'; Rainer Gerhards;
    > > > loganalysisat_private
    > > > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie
    > > > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    > > >
    > > >
    > > > Noah,
    > > >
    > > > Care to share this document you found?  It might be
    > > > helpful to everyone.
    > > >
    > > > Thanks,
    > > >
    > > > Carv
    > > >
    > > > --- Noah White <nwhiteat_private> wrote:
    > > > >
    > > > > One suggestion which comes to mind would be to make
    > > available a full
    > > > > accounting of all Windows/Microsoft produced event
    > > > > IDs, their sources, what
    > > > > they mean etc.
    > > > >
    > > > > I have found a nice document on the security log and
    > > security event
    > > > > ids, however it has been impossible to find this
    > > > > information for other event logs
    > > > > (Directory services, File replication, DNS etc).  In
    > > > particular in the
    > > > > case of active directory one is publicly unavailable.
    > > > >
    > > > > ---
    > > > > Noah White
    > > > > mailto://<nwhiteat_private>
    > > > > SilverBack Technologies Inc.
    > > > > http://www.silverbacktech.com
    > > > >
    > > > >
    > > > > > -----Original Message-----
    > > > > > From: Eric Fitzgerald
    > > > > [mailto:ericfat_private]
    > > > > > Sent: Friday, January 17, 2003 3:00 PM
    > > > > > To: H C; Rainer Gerhards;
    > > > > loganalysisat_private
    > > > > > Cc: Tina Bird; Marcus J. Ranum;
    > > > > probertsat_private; Ben Laurie
    > > > > > Subject: RE: [logs] RE: NT Event Log and Web
    > > > > Server Attacks
    > > > > >
    > > > > > > -----Original Message-----
    > > > > > > From: H C [mailto:keydet89at_private]
    > > > > > > Sent: Friday, January 17, 2003 11:27 AM
    > > > > > > To: Rainer Gerhards; loganalysisat_private
    > > > > > > Cc: Tina Bird; Marcus J. Ranum;
    > > > > probertsat_private; Ben Laurie; Eric
    > > > > > Fitzgerald
    > > > > > > Subject: RE: [logs] RE: NT Event Log and Web
    > > > > Server Attacks
    > > > > >
    > > > > > > I just think that due to the obscurity of the
    > > > > > > EventLog, particularly on NT and 2K platforms,
    > > > > this
    > > > > > > can be a bit more trouble than it's worth.
    > > > > >
    > > > > > I would be very interested in hearing any
    > > > > suggestions on how to improve
    > > > > > the ability to analyze the Windows security log.
    > > > > I've explained why some
    > > > > > of the events seem to be "missing" information
    > > > > even though the
    > > > > > information is really in the log, and Microsoft's
    > > > > strategy moving
    > > > > > forward, but if you have other suggestions then I
    > > > > would be very open to
    > > > > > hearing them.
    > > > >
    > > >
    > > >
    > > > __________________________________________________
    > > > Do you Yahoo!?
    > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    > > http://mailplus.yahoo.com
    > > _______________________________________________
    > > LogAnalysis mailing list
    > > LogAnalysisat_private
    > > http://lists.shmoo.com/mailman/listinfo/logana> lysis
    > >
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    > http://lists.shmoo.com/mailman/listinfo/loganalysis
    >
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:05:25 PST