Re: [logs] state machines and (automated) log analysis -- any tools?

From: Bennett Todd (betat_private)
Date: Thu Feb 20 2003 - 07:21:14 PST

  • Next message: Marcus J. Ranum: "Re: [logs] Tcpdump log analysis"

    2003-02-18T14:57:42 Jim Prewett:
    > I'm looking for something that uses state machines (or something simular,
    > state machines are my first guess)  to aid in log analysis.
    > I'm thinking of things like the ssh CRC32 attack compensator exploit 
    > (several years old, but... ) where log event A means nothing unless log 
    > event B and C are seen as well (which mean nothing without A).
    It's not explicitly and overtly a state machine, but using
    state-machine design approaches should be practical with SEC
    [1,2]. I looked it up at the Loganalysis website [3] library section
    [4] on Generic Log Parsers [5].
    When I say it's not expliticly a state machine, I mean that the
    configuration isn't directly a specification of states and
    transitions on inputs. But since you can have pair events, and
    possible actions to take include generating new events as well as
    creating contexts enabling other rules, there are various ways you
    can craft a state machine or set up chains for recognizing more than
    just two events.
    Or so I assume from a quick glance at the overview on the main web
    [1] <URL:>
    [2] <URL:>
    [3] <URL:>
    [4] <URL:>
    [5] <URL:>

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private

    This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 07:36:28 PST