RE: [logs] RE: Windows Event Log Attack Signatures

From: Moyer, Shawn (SMoyer@rgare.com)
Date: Thu Feb 27 2003 - 13:24:37 PST 

I'm doing something similar via Psionic's LogSentry and Syslog-NG on a *nix
box, with NTSyslog exporting the event logs from Windows -> Syslog. This has
some disadvantages in that in my current configuration I can't really set a
clipping level; it's more or less all events of a given category that
generate an alert. But, the price is nice. :)=)



--shawn


> -----Original Message-----
> From: Rainer Gerhards [mailto:rgerhards@hq.adiscon.com]
> Sent: Tuesday, February 25, 2003 04:10
> To: loganalysis@lists.shmoo.com
> Subject: RE: [logs] RE: Windows Event Log Attack Signatures
> 
> 
> Hi all,
> 
> I have created a first paper, as promised. It is about Windows
> configuration to track password attacks and other anomalies as well as
> alerting in near-real-time.
> 
> Find it at
> 
> http://www.monitorware.com/Common/en/Articles/Detecting-Passwo
> rd-Attacks
> -Windows.asp
> 
> (This is a long URL, ending in ".asp" - most probably your 
> email client
> will break it. To avoid this, please reassmble it and then 
> paste it into
> the browser - I have seen to many 404's ;)).
> 
> Rainer
> 
> > -----Original Message-----
> > From: Rainer Gerhards 
> > Sent: Saturday, February 22, 2003 6:10 PM
> > To: loganalysis@lists.shmoo.com
> > Subject: RE: [logs] RE: Windows Event Log Attack Signatures
> > 
> > 
> > Hi all,
> > 
> > Thanks for the feedback provided so far. I have compiled a 
> > small list of it and posted it on
> > 
> >  
> http://www.monitorware.com/en/workinprogress/eventlog-attack-s
ignatures.
asp

(long url, make sure it is complete when entered in the browser!)

Among the feedback was also a very interesting list of Windows Event
IDs. I have used it to boost our event parsing database from around 150
events (mostly security) to 6700+. I have the feeling that this is a
close-to-complete list of Windows events that can occur. Find that
database at

    http://www.monitorware.com/en/events/

While broswing the database, you get the idea that there are a number of
events in it that might be well worth being looked at in more detail.

But I have still a request: I have not yet received any *event log*
signatures of a system that actually got hacked. If you have such - or
some more clever ideas - I would *deeply* appreciate them.

I promise I will make my findings publically available, and I also
promise to keep things confidential if I am asked to do so.

Many thanks,
Rainer Gerhards

_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis

This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 21:01:45 PST