I've just released code for a doo-dad I've been playing with for a while
called NBS. That stands for "Never Before Seen" Anomaly Detector.
Basically, the idea is, if you've never seen something before, it must
be an anomaly. :) Duh! It's just a fast database that keeps tracks of
strings and their occurrence. It lets you get notice when it finds
something it's never before seen (hence the name) and you can also
dump things with various sorts and orders.
This tool can be incredibly useful - or not - depending on what you
do with it. For example, dumping DHCP {server, client, mac} combos
into an NBS database can be quite interesting. If you have a web
server that doesn't dynamically create URLs it might be extremely
useful for detecting new worms, etc. It's designed to be lightweight
and fast enough that you wouldn't have a problem with keeping
short-term and long-term databases of the same things if you
wanted to (most frequent URLs today anyone?) Anyhow, there's a
lot of potential applications for it and I've even actually written some
documentation on how it works. :)
http://www.ranum.com/security/computer_security/code
follow the link for NBS. Building it is not too hard; you need to
BSD-DB library from sleepycat software and some basic
knowledge of how to build C code under UNIX.
As always, I welcome suggestions, bug-fixes, etc.
mjr.
---
Note for those who care: this is free software and is downloadable
source. It's not "Open Source"(tm); it is for non-commercial use
only (that means you can use it but you can't sell it)
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Aug 31 2004 - 16:08:32 PDT