RE: [logs] RE: Windows Event Log Attack Signatures

• Previous message: Rainer Gerhards: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Next in thread: Moyer, Shawn: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Somewhat off topic here...
http://www.cisecurity.com
Has a security checker that can be run, plus papers to help
lockdown your systems. I've been working with it and
improving/hardening my servers. Not as clear or step by step
as Rainer's is but its worth investigating.

----- Original Message Follows -----
> Hi all,
> 
> I have created a first paper, as promised. It is about
> Windows configuration to track password attacks and other
> anomalies as well as alerting in near-real-time.
> 
> Find it at
> 
>
http://www.monitorware.com/Common/en/Articles/Detecting-Password-Attacks
> -Windows.asp
> 
> (This is a long URL, ending in ".asp" - most probably your
> email client will break it. To avoid this, please
> reassmble it and then paste it into the browser - I have
> seen to many 404's ;)).
> 
> Rainer
> 
> > -----Original Message-----
> > From: Rainer Gerhards 
> > Sent: Saturday, February 22, 2003 6:10 PM
> > To: loganalysisat_private
> > Subject: RE: [logs] RE: Windows Event Log Attack
> > Signatures 
> > 
> > Hi all,
> > 
> > Thanks for the feedback provided so far. I have compiled
> > a  small list of it and posted it on
> > 
> >  
>
http://www.monitorware.com/en/workinprogress/eventlog-attack-signatures.
> asp
> 
> (long url, make sure it is complete when entered in the
> browser!)
> 
> Among the feedback was also a very interesting list of
> Windows Event IDs. I have used it to boost our event
> parsing database from around 150 events (mostly security)
> to 6700+. I have the feeling that this is a
> close-to-complete list of Windows events that can occur.
> Find that database at
> 
>     http://www.monitorware.com/en/events/
> 
> While broswing the database, you get the idea that there
> are a number of events in it that might be well worth
> being looked at in more detail.
> 
> But I have still a request: I have not yet received any
> *event log* signatures of a system that actually got
> hacked. If you have such - or some more clever ideas - I
> would *deeply* appreciate them.
> 
> I promise I will make my findings publically available,
> and I also promise to keep things confidential if I am
> asked to do so.
> 
> Many thanks,
> Rainer Gerhards
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

===========================
Kevin W. Gagel
Network Administrator
College of New Caledonia
gagelat_private
(250) 561-2131 loc 448

--------------------------------
The College of New Caledonia    
Visit us at http://www.cnc.bc.ca
--------------------------------
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Shane Amante: "[logs] Log Analysis (of Security Devices)"
• Previous message: Rainer Gerhards: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Next in thread: Moyer, Shawn: "RE: [logs] RE: Windows Event Log Attack Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 20:28:52 PST