Hi all, Thanks for the feedback provided so far. I have compiled a small list of it and posted it on http://www.monitorware.com/en/workinprogress/eventlog-attack-signatures. asp (long url, make sure it is complete when entered in the browser!) Among the feedback was also a very interesting list of Windows Event IDs. I have used it to boost our event parsing database from around 150 events (mostly security) to 6700+. I have the feeling that this is a close-to-complete list of Windows events that can occur. Find that database at http://www.monitorware.com/en/events/ While broswing the database, you get the idea that there are a number of events in it that might be well worth being looked at in more detail. But I have still a request: I have not yet received any *event log* signatures of a system that actually got hacked. If you have such - or some more clever ideas - I would *deeply* appreciate them. I promise I will make my findings publically available, and I also promise to keep things confidential if I am asked to do so. Many thanks, Rainer Gerhards _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Feb 22 2003 - 13:04:09 PST