On Tue, 25 Feb 2003, Shane Amante wrote: > I'm curious what algorithms people are using to digest their log files > in search of patterns, or other "interesting events", specifically as it > relates to firewall or NIDS devices? i'm using openbsd's "pf", which logs in a binary format compatable with pcap (using a different header). i use "aguri" from kenjiro to analyze the logs. coupled to a bunch of other measurements i make every five minutes i get interesting views. aguri: http://www.csl.sony.co.jp/person/kjc/software.html openbsd aguri port (not yet imported, includes pflog support): http://monkey.org/~jose/openbsd/ports/aguri.tar.gz what winds out popping out are hosts and netblocks that hit me in spikes. src and dest addresses and blocks, src and dest protocols and ports all get logged. i graph this information using some of the supplied tools, but they're easily modified to support other graphing tools. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Feb 26 2003 - 13:36:14 PST