Re: [logs] Log Analysis (of Security Devices)

From: Jose Nazario (joseat_private)
Date: Wed Feb 26 2003 - 06:20:56 PST

  • Next message: Rainer Gerhards: "[logs] Windows Default User / Group Objects"

    On Tue, 25 Feb 2003, Shane Amante wrote:
    
    > I'm curious what algorithms people are using to digest their log files
    > in search of patterns, or other "interesting events", specifically as it
    > relates to firewall or NIDS devices?
    
    i'm using openbsd's "pf", which logs in a binary format compatable with
    pcap (using a different header). i use "aguri" from kenjiro to analyze the
    logs. coupled to a bunch of other measurements i make every five minutes i
    get interesting views.
    
    aguri: http://www.csl.sony.co.jp/person/kjc/software.html
    openbsd aguri port (not yet imported, includes pflog support):
    	http://monkey.org/~jose/openbsd/ports/aguri.tar.gz
    
    what winds out popping out are hosts and netblocks that hit me in spikes.
    src and dest addresses and blocks, src and dest protocols and ports all
    get logged. i graph this information using some of the supplied tools, but
    they're easily modified to support other graphing tools.
    
    ___________________________
    jose nazario, ph.d.			joseat_private
    					http://www.monkey.org/~jose/
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 13:36:14 PST