[logs] OsAudit v0.1 (log gathering, monitoring and analysis) available.

• Previous message: Yann Berthier: "Re: [logs] sdsc syslog on bsd?"
• Next in thread: Anton A. Chuvakin: "[logs] Bayes - good or bad?"
• Reply: Anton A. Chuvakin: "[logs] Bayes - good or bad?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

OsAudit version 0.1 is available for download.

OsAudit is a complete system for log gathering,
monitoring and analysis. It has two different running
modes: server and client. 

In client mode, OsAudit will read the logs and forward
them (encrypted) to the server station.
In server mode, OsAudit will receive external logs
from the clients or from any other device that can
send remote syslog messages and analyze them.

OsAudit uses (right now) 3 different methods to
analyze the logs.

It begins analyzing the logs against the FTS (first
time seem) database. The FTS is only used for some
specific logs (like sshd connections, su usages, sudo,
snort rules, etc). For example, every time a new user
log in to a system, the FTS will fire.
It will cause some false positives in the beginning,
but after one or two days it will become very usefull
to detect a lot of possible intrusions. The same thing
to snort logs. Most false positives messages will stop
after a few hours and only "new" problems (probably
not false-positives) will be notified.

After the FTS analysis, OsAudit will analyze the logs
against the generated statistics. If for example,
during the Sundays the average number of logs received
between 9pm and 10pm is 500, and during one day it
receive 600, an alert will be generated. OsAudit will
analyze the logs against the average logs for the hour
and for the hour/weekday combination.

The last step in the analysis in the rule matching.
All OsAudit rules are in the XML format and are very
easy to manage. We have more than 60 different rules
matching many common problems. The currently rules can
be viewed in the etc/rules directory.

OsAudit right now can perfectly read and analyze the
following logs: syslog, snort-full, snort-fast,
barnyard dump_log, apache err log and any other log
file that looks like syslog (or are well formated) 

For more information, go to:

http://www.ossec.net/osaudit/
http://osaudit.sourceforge.net
http://sourceforge.net/projects/osaudit/

For comments, suggetions or questions: 
daniel.cid @ (at) gmail.com

Thanks,

Daniel B. Cid, CISSP
daniel.cid @ (at) gmail.com


	
	
		
_______________________________________________________ 
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Yann Berthier: "Re: [logs] sdsc syslog on bsd?"
• Next in thread: Anton A. Chuvakin: "[logs] Bayes - good or bad?"
• Reply: Anton A. Chuvakin: "[logs] Bayes - good or bad?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Thu Feb 17 2005 - 22:58:44 PST