[logs] logs threshold program

• Previous message: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Next in thread: James Turnbull: "[logs] Re: logs threshold program"
• Reply: James Turnbull: "[logs] Re: logs threshold program"
• Reply: Chris Petersen: "[logs] Re: logs threshold program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

Can anyone recommend a program that would trigger on thresholds of 
certain types of log messages within a sliding window? For example I 
would like to detect if a user/source IP has attempted 10 or more 
logins within 1 minute.

I am looking into the Simple Event Correlator as a possible solution. 
Does anyone have comments from personal experience working with it?

Kind regards,
Wen(Betty) Liu
NASA Advanced Supercomputing Division
NASA Ames Research Center
M/S 258-5
Moffett Field, CA 94035-1000
(650) 604-4628
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: John Kristoff: "[logs] Re: logsurfer ssh rule for attack"
• Next in thread: James Turnbull: "[logs] Re: logs threshold program"
• Reply: James Turnbull: "[logs] Re: logs threshold program"
• Reply: Chris Petersen: "[logs] Re: logs threshold program"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Sat Jun 04 2005 - 01:42:52 PDT