RE: [logs] RE: Windows Event Log Attack Signatures

From: Rainer Gerhards (rgerhardsat_private)
Date: Tue Feb 25 2003 - 02:09:48 PST

  • Next message: Kevin W. Gagel: "RE: [logs] RE: Windows Event Log Attack Signatures"

    Hi all,
    I have created a first paper, as promised. It is about Windows
    configuration to track password attacks and other anomalies as well as
    alerting in near-real-time.
    Find it at
    (This is a long URL, ending in ".asp" - most probably your email client
    will break it. To avoid this, please reassmble it and then paste it into
    the browser - I have seen to many 404's ;)).
    > -----Original Message-----
    > From: Rainer Gerhards 
    > Sent: Saturday, February 22, 2003 6:10 PM
    > To: loganalysisat_private
    > Subject: RE: [logs] RE: Windows Event Log Attack Signatures
    > Hi all,
    > Thanks for the feedback provided so far. I have compiled a 
    > small list of it and posted it on
    (long url, make sure it is complete when entered in the browser!)
    Among the feedback was also a very interesting list of Windows Event
    IDs. I have used it to boost our event parsing database from around 150
    events (mostly security) to 6700+. I have the feeling that this is a
    close-to-complete list of Windows events that can occur. Find that
    database at
    While broswing the database, you get the idea that there are a number of
    events in it that might be well worth being looked at in more detail.
    But I have still a request: I have not yet received any *event log*
    signatures of a system that actually got hacked. If you have such - or
    some more clever ideas - I would *deeply* appreciate them.
    I promise I will make my findings publically available, and I also
    promise to keep things confidential if I am asked to do so.
    Many thanks,
    Rainer Gerhards
    LogAnalysis mailing list
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 12:43:34 PST