> Does anyone know of a good site that contains common > application level attack strings and system responses > as they commonly occur in Syslog? I understand there > are many flavors of syslog and net services, but until > there is a standard, common alert strings to search > for would be great. once upon a time *sigh* loganalysis.org was going to be this site. we've alas never gotten a good mechanism in place for assembling either sample logs or signatures/config files/etc for parsing tools... the best "reference" i've found such as you're describing is the configuration files for logsentry/logcheck (or whatever it's called now). it uses keywords, and the stock config files make a useful beginning. http://sourceforge.net/projects/sentrytools > Since we're going through this multi-file log > analysis without a commercial product, I'd like to > find some good anomaly detection strings. Then I can > take the strings and run them against a for loop of > log files for hits. Who knows, there may be a site > with service specific strings? > Web, SMTP, SQL.....? there are a number of references for web server log messages. i'd *love* to see such a thing for SQL, but that's *tough* - most SQL attacks consist of "allowed" commands being used in bad ways, and don't leave useful traces in the logs. although again i'd love to be proven wrong there... "Detecting SQL Injection in Oracle" http://www.securityfocus.com/infocus/1714 Suspicious Web server logs http://www.armbrustconsulting.com/LogEntries.html and in general, http://www.loganalysis.org --> click on "Library" --> click on "Message Dictionaries" which is under the "Data Analysis" section. and *alas* send me broken links, or other useful references you find... _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Feb 22 2006 - 09:45:55 PST