hi! i got the hint from richard westlake on suse security list to write to this list. i'm currently writing my diploma work about (D)DoS Attacks against web servers. i try to detect this attacks based on statistical anomalies of the requests. it looks at the request rate (with an exponential moving average), the period in which a client is active, the time distribution of the requests (chi square), the return status of the web server and the distribution of the URI's hit. till now, it looks pretty promising but one very important factor is unaccounted, the coast of a single request! what i like to do is calculating a coast for each request, so that request that charge the CPU more or demand lots of bandwidth, have a higher suspicious level. the hole analysis process is done on the logfile of a web server. to train the system, old logfiles are feed. after that the system switches to live mode and watches the access logfile (like tail -f) for changes and tries to detect attacks in "real time" (with the possibility to block them via an apache module or the firewall (time based rule)). now i have a little problem. i didn't found somebody that was able go give me logfiles in apache combined or common format but with the time which was needed to serve the requests. it would be possible to log this in apache2 with the "%D" character. now my question. does anybody of you log this time to serve a request and could give me some logfiles? you can anonimize your logfiles with analog (project on sourceforge) but i guess you know this ;-) thanks markus _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Nov 17 2004 - 11:24:56 PST