RE: [logs] RE: Windows Event Log Attack Signatures

• Previous message: Harry Hoffman: "[logs] WinXP and auto network discovery"
• Next in thread: Kevin W. Gagel: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

I have created a first paper, as promised. It is about Windows
configuration to track password attacks and other anomalies as well as
alerting in near-real-time.

Find it at

http://www.monitorware.com/Common/en/Articles/Detecting-Password-Attacks
-Windows.asp

(This is a long URL, ending in ".asp" - most probably your email client
will break it. To avoid this, please reassmble it and then paste it into
the browser - I have seen to many 404's ;)).

Rainer

> -----Original Message-----
> From: Rainer Gerhards 
> Sent: Saturday, February 22, 2003 6:10 PM
> To: loganalysisat_private
> Subject: RE: [logs] RE: Windows Event Log Attack Signatures
> 
> 
> Hi all,
> 
> Thanks for the feedback provided so far. I have compiled a 
> small list of it and posted it on
> 
>  
http://www.monitorware.com/en/workinprogress/eventlog-attack-signatures.
asp

(long url, make sure it is complete when entered in the browser!)

Among the feedback was also a very interesting list of Windows Event
IDs. I have used it to boost our event parsing database from around 150
events (mostly security) to 6700+. I have the feeling that this is a
close-to-complete list of Windows events that can occur. Find that
database at

    http://www.monitorware.com/en/events/

While broswing the database, you get the idea that there are a number of
events in it that might be well worth being looked at in more detail.

But I have still a request: I have not yet received any *event log*
signatures of a system that actually got hacked. If you have such - or
some more clever ideas - I would *deeply* appreciate them.

I promise I will make my findings publically available, and I also
promise to keep things confidential if I am asked to do so.

Many thanks,
Rainer Gerhards

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Kevin W. Gagel: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Previous message: Harry Hoffman: "[logs] WinXP and auto network discovery"
• Next in thread: Kevin W. Gagel: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 12:43:34 PST