RE: [logs] RE: Windows Event Log Attack Signatures

From: Rainer Gerhards (rgerhardsat_private)
Date: Sat Feb 22 2003 - 09:10:25 PST

  • Next message: Rainer Gerhards: "[logs] Configuring Devices for Syslog"

    Hi all,
    Thanks for the feedback provided so far. I have compiled a small list of
    it and posted it on

    (long url, make sure it is complete when entered in the browser!)
    Among the feedback was also a very interesting list of Windows Event
    IDs. I have used it to boost our event parsing database from around 150
    events (mostly security) to 6700+. I have the feeling that this is a
    close-to-complete list of Windows events that can occur. Find that
    database at
    While broswing the database, you get the idea that there are a number of
    events in it that might be well worth being looked at in more detail.
    But I have still a request: I have not yet received any *event log*
    signatures of a system that actually got hacked. If you have such - or
    some more clever ideas - I would *deeply* appreciate them.
    I promise I will make my findings publically available, and I also
    promise to keep things confidential if I am asked to do so.
    Many thanks,
    Rainer Gerhards
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Feb 22 2003 - 13:04:09 PST