Wen Pei (Betty) Liu wrote: >Hi, > >Can anyone recommend a program that would trigger on thresholds of >certain types of log messages within a sliding window? For example I >would like to detect if a user/source IP has attempted 10 or more >logins within 1 minute. > >I am looking into the Simple Event Correlator as a possible solution. >Does anyone have comments from personal experience working with it? > > From experience I'd say SEC is perfect for your requirements. The SingleWithThreshold rule type from SEC would seem to fit the bill. Regards James Turnbull -- James Turnbull <james@private> --- Author of Hardening Linux, Apress (http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Jun 04 2005 - 07:49:12 PDT