Re: [logs] NBS

From: Jim Prewett (download@private)
Date: Wed Sep 01 2004 - 13:10:39 PDT


Hi Marcus, 

Congrats on the release!

How do you envision this being used?  I'm struggling with coming up with 
an application.

Is this because of my view that an admin should obsesively document their 
environment in his/her log analysis tool?

I'm really cureous as to how you use this tool.

Many thanks,
Jim

On Tue, 31 Aug 2004, Marcus J. Ranum wrote:

> 
> I've just released code for a doo-dad I've been playing with for a while
> called NBS. That stands for "Never Before Seen" Anomaly Detector.
> Basically, the idea is, if you've never seen something before, it must
> be an anomaly. :) Duh!  It's just a fast database that keeps tracks of
> strings and their occurrence. It lets you get notice when it finds
> something it's never before seen (hence the name) and you can also
> dump things with various sorts and orders.
> 
> This tool can be incredibly useful - or not - depending on what you
> do with it. For example, dumping DHCP {server, client, mac} combos
> into an NBS database can be quite interesting. If you have a web
> server that doesn't dynamically create URLs it might be extremely
> useful for detecting new worms, etc. It's designed to be lightweight
> and fast enough that you wouldn't have a problem with keeping
> short-term and long-term databases of the same things if you
> wanted to (most frequent URLs today anyone?) Anyhow, there's a
> lot of potential applications for it and I've even actually written some
> documentation on how it works. :)
> http://www.ranum.com/security/computer_security/code
> follow the link for NBS. Building it is not too hard; you need to
> BSD-DB library from sleepycat software and some basic
> knowledge of how to build C code under UNIX.
> 
> As always, I welcome suggestions, bug-fixes, etc.
> 
> mjr.
> ---
> Note for those who care: this is free software and is downloadable
> source. It's not "Open Source"(tm); it is for non-commercial use
> only (that means you can use it but you can't sell it) 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 

-- 
James E. Prewett                 "everything that is, that was, was not enough"
Systems Team Leader                                                505.277.8210
Designated Security Officer                download@private Jim@private
HPC Systems Engineer III @ HPC@UNM             OpenPGP key: pub  1024D/31816D93

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Wed Sep 01 2004 - 22:57:45 PDT