Simple Event Correlator 'sec' will do something along those lines, and Risto is very responsive: http://kodu.neti.ee/~risto/sec/ > -----Original Message----- > From: Jim Prewett [mailto:downloadat_private] > Sent: Tuesday, February 18, 2003 1:58 PM > To: loganalysisat_private > Subject: [logs] state machines and (automated) log analysis > -- any tools? > > > > All, > > I'm looking for something that uses state machines (or > something simular, > state machines are my first guess) to aid in log analysis. > > I'm thinking of things like the ssh CRC32 attack compensator exploit > (several years old, but... ) where log event A means nothing > unless log > event B and C are seen as well (which mean nothing without A). > > Does anyone have any pointers to tools that look at logs in this way? > > Jim > > -- > -------------------------------------------------------------- > ----------------- > \x83\xec\x0c\x31\xc0\x31\xd2\x68\x2f\x73\x68\x21\x68\x2f\x62\x > 69\x6e\x89\xe3 > \x88\x43\x07\x50\x50\x53\x53\xb0\x3b\xcd\x80\x89\xf6 Don't > forget FreeBSD! > -------------------------------------------------------------- > ----------------- > Please avoid sending me Word or PowerPoint attachments. > See http://www.fsf.org/philosophy/no-word-attachments.html > > _______________________________________________ > LogAnalysis mailing list > LogAnalysisat_private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 06:59:09 PST