2003-02-18T14:57:42 Jim Prewett: > I'm looking for something that uses state machines (or something simular, > state machines are my first guess) to aid in log analysis. > > I'm thinking of things like the ssh CRC32 attack compensator exploit > (several years old, but... ) where log event A means nothing unless log > event B and C are seen as well (which mean nothing without A). It's not explicitly and overtly a state machine, but using state-machine design approaches should be practical with SEC [1,2]. I looked it up at the Loganalysis website [3] library section [4] on Generic Log Parsers [5]. When I say it's not expliticly a state machine, I mean that the configuration isn't directly a specification of states and transitions on inputs. But since you can have pair events, and possible actions to take include generating new events as well as creating contexts enabling other rules, there are various ways you can craft a state machine or set up chains for recognizing more than just two events. Or so I assume from a quick glance at the overview on the main web page. -Bennett [1] <URL:http://kodu.neti.ee/~risto/sec/> [2] <URL:http://simple-evcorr.sourceforge.net/> [3] <URL:http://www.loganalysis.org/> [4] <URL:http://www.loganalysis.org/frames/left-navbar-library.html> [5] <URL:http://www.loganalysis.org/sections/parsing/generic-log-parsers/index.html>
This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 07:36:28 PST