Rainer, Are these codes the same across the various Windows versions, or which versions have you investigated? Cheers, Frank. > -----Original Message----- > From: loganalysis-adminat_private > [mailto:loganalysis-adminat_private]On Behalf Of Rainer Gerhards > Sent: 20 January 2003 19:49 > To: Rainer Gerhards; H C; Noah White; Eric Fitzgerald; > loganalysisat_private > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks > > > OK, we can make this available public as it looks. We've put up an > internal tester, far from being complete or comprehensive. Even the > database has more or less some event headings plus the indication that > they are "todo". Anyhow, I post it here so that those out here can tell > me if they would find this thing useful - provided the fact, of course, > that it includes more complete and more information at all. The link is: > > http://www.monitorware.com/en/events/ > > The 532 event on top has some more information. Also, envision that > descriptions like the one that started this thread will probably be > included. It is intended to have not only Windows Events. Next on the > list is Cisco PIX. Others to come and contributors are very welcome ;) > > Any feedback is appreciated, but please keep in mind that this is FAR > from being "production quality". > > Rainer > > > -----Original Message----- > > From: Rainer Gerhards > > Sent: Monday, January 20, 2003 1:56 PM > > To: H C; Noah White; Eric Fitzgerald; loganalysisat_private > > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie > > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks > > > > > > Actually, > > > > We had started an internal project on the structure and > > information contained in the Windows Event Logs. My "web > > server attack" posting was related to this stuff. We are > > trying to formalize a listing of all those events that (at > > least we) think are meaningful and the parameters they have. > > We intend to use this information than later on in the > > analysis engine, which can provide better correlation if it > > is nicely formatted. Of course, when our agents emit an even > > more structured event record, other analysis can also benefit ;) > > > > I will see if we can make the project public, but I think so. > > As I said, it is currently in its starting stage, so > > information is very limited. So far more or less pointers to > > things that we intend to look deeper into... > > > > If I can make it public, I'll post the URL over here. > > > > Rainer > > > > > -----Original Message----- > > > From: H C [mailto:keydet89at_private] > > > Sent: Sunday, January 19, 2003 8:18 PM > > > To: Noah White; 'Eric Fitzgerald'; Rainer Gerhards; > > > loganalysisat_private > > > Cc: Tina Bird; Marcus J. Ranum; probertsat_private; Ben Laurie > > > Subject: RE: [logs] RE: NT Event Log and Web Server Attacks > > > > > > > > > Noah, > > > > > > Care to share this document you found? It might be > > > helpful to everyone. > > > > > > Thanks, > > > > > > Carv > > > > > > --- Noah White <nwhiteat_private> wrote: > > > > > > > > One suggestion which comes to mind would be to make > > available a full > > > > accounting of all Windows/Microsoft produced event > > > > IDs, their sources, what > > > > they mean etc. > > > > > > > > I have found a nice document on the security log and > > security event > > > > ids, however it has been impossible to find this > > > > information for other event logs > > > > (Directory services, File replication, DNS etc). In > > > particular in the > > > > case of active directory one is publicly unavailable. > > > > > > > > --- > > > > Noah White > > > > mailto://<nwhiteat_private> > > > > SilverBack Technologies Inc. > > > > http://www.silverbacktech.com > > > > > > > > > > > > > -----Original Message----- > > > > > From: Eric Fitzgerald > > > > [mailto:ericfat_private] > > > > > Sent: Friday, January 17, 2003 3:00 PM > > > > > To: H C; Rainer Gerhards; > > > > loganalysisat_private > > > > > Cc: Tina Bird; Marcus J. Ranum; > > > > probertsat_private; Ben Laurie > > > > > Subject: RE: [logs] RE: NT Event Log and Web > > > > Server Attacks > > > > > > > > > > > -----Original Message----- > > > > > > From: H C [mailto:keydet89at_private] > > > > > > Sent: Friday, January 17, 2003 11:27 AM > > > > > > To: Rainer Gerhards; loganalysisat_private > > > > > > Cc: Tina Bird; Marcus J. Ranum; > > > > probertsat_private; Ben Laurie; Eric > > > > > Fitzgerald > > > > > > Subject: RE: [logs] RE: NT Event Log and Web > > > > Server Attacks > > > > > > > > > > > I just think that due to the obscurity of the > > > > > > EventLog, particularly on NT and 2K platforms, > > > > this > > > > > > can be a bit more trouble than it's worth. > > > > > > > > > > I would be very interested in hearing any > > > > suggestions on how to improve > > > > > the ability to analyze the Windows security log. > > > > I've explained why some > > > > > of the events seem to be "missing" information > > > > even though the > > > > > information is really in the log, and Microsoft's > > > > strategy moving > > > > > forward, but if you have other suggestions then I > > > > would be very open to > > > > > hearing them. > > > > > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > _______________________________________________ > > LogAnalysis mailing list > > LogAnalysisat_private > > http://lists.shmoo.com/mailman/listinfo/logana> lysis > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:05:25 PST