[logs] Re: Need for General Device Alert Strings----for log analysis

From: Greg Dotoli (gldotoli@private)
Date: Mon Mar 13 2006 - 13:20:56 PST


> A Top 500 would be great. Maybe something like AV
> vendors have their top 100 viruses, the top
signatures by service, Web, DB, Mail, DNS, OSes etcd.

> Maybe ,the most popular attack signatures, that
> get thrown at devices both private and public. The
> public strings holding more weight, maybe 70%
> public,
> 30% private.
> 
> Just  simple text list with no IDS proprietary
> signatures. A quick reference for a script that
scans any ASCII log file(s). 
> 

> 
> I appreciate your interest.
> 
> 
> Thanks,
> Gregg
> 
> 
> 
> 
> 
> 
> 
> 
>  
> 
> --- loganalysis-request@private wrote:
> 
> > Send LogAnalysis mailing list submissions to
> > 	loganalysis@private
> > 
> > To subscribe or unsubscribe via the World Wide
> Web,
> > visit
> > 
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> > or, via email, send a message with subject or body
> > 'help' to
> > 	loganalysis-request@private
> > 
> > You can reach the person managing the list at
> > 	loganalysis-owner@private
> > 
> > When replying, please edit your Subject line so it
> > is more specific
> > than "Re: Contents of LogAnalysis digest..."
> > 
> > 
> > Today's Topics:
> > 
> >    1. Syslog Alert Strings----Web Site References
> or
> > Resources?
> >       (Greg Dotoli)
> >    2. Re: Syslog Alert Strings----Web Site
> > References or Resources?
> >       (Anton Chuvakin)
> >    3. Re: Syslog Alert Strings----Web Site
> > References or Resources?
> >       (Tina Bird)
> >    4. Re: Syslog Alert Strings----Web Site
> > References or Resources?
> >       (Anton Chuvakin)
> >    5. Re: Syslog Alert Strings----Web Site
> > References or Resources?
> >       (Daniel Cid)
> >    6. Re: Syslog Alert Strings----Web Site
> > References or Resources?
> >       (todd glassey)
> >    7. Firewall Log Analyzer (Adrian Grigorof)
> >    8. logging in IETF draft on "Operational
> Security
> > Current
> >       Practices" (Anton Chuvakin)
> >    9. Re: logging in IETF draft on "Operational
> > Security
> >       CurrentPractices" (todd glassey)
> >   10. FW: [Syslog] WG Review: Recharter of
> Security
> > Issues in
> >       Network Event Logging (syslog) (Rainer
> > Gerhards)
> > 
> > 
> >
>
----------------------------------------------------------------------
> > 
> > Message: 1
> > Date: Wed, 22 Feb 2006 05:03:14 -0800 (PST)
> > From: Greg Dotoli <gldotoli@private>
> > Subject: [logs] Syslog Alert Strings----Web Site
> > References or
> > 	Resources?
> > To: loganalysis@private
> > Message-ID:
> >
>
<20060222130314.69548.qmail@private>
> > Content-Type: text/plain; charset=iso-8859-1
> > 
> > Does anyone know of a good site that contains
> common
> > application level attack strings and system
> > responses
> > as they commonly occur in Syslog? I understand
> there
> > are many flavors of syslog and net services, but
> > until
> > there is a standard, common alert strings to
> search
> > for would be great. 
> > 
> > Since we're going through this multi-file log
> > analysis without a commercial product, I'd like to
> > find some good anomaly detection strings. Then I
> can
> > take the strings and run them against a for loop
> of
> > log files for hits. Who knows, there may be a site
> > with service specific strings?
> > Web, SMTP, SQL.....?
> > 
> > Thanks,
> > Gregg
> > 
> > 
> > 
> > 
> > ------------------------------
> > 
> > Message: 2
> > Date: Wed, 22 Feb 2006 12:40:26 -0500
> > From: "Anton Chuvakin" <anton@private>
> > Subject: [logs] Re: Syslog Alert Strings----Web
> Site
> > References or
> > 	Resources?
> > To: loganalysis@private
> > Message-ID:
> > 
> >
>
<b2591e2e0602220940r2c25fa6bk547f96c27be22bc7@private>
> > Content-Type: text/plain; charset=ISO-8859-1
> > 
> > On 2/22/06, Greg Dotoli <gldotoli@private>
> wrote:
> > > Does anyone know of a good site that contains
> > common
> > > application level attack strings and system
> > responses
> > > as they commonly occur in Syslog?
> > 
> > Just curious, how big of a list you are looking
> for
> > (and can handle)?
> > Is it 'top 10' or 'top 500,000' that you are
> looking
> > for?
> > 
> > --
--- loganalysis-request@private wrote:

> Send LogAnalysis mailing list submissions to
> 	loganalysis@private
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 	http://lists.shmoo.com/mailman/listinfo/loganalysis
> or, via email, send a message with subject or body
> 'help' to
> 	loganalysis-request@private
> 
> You can reach the person managing the list at
> 	loganalysis-owner@private
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of LogAnalysis digest..."
> 
> 
> Today's Topics:
> 
>    1. Syslog Alert Strings----Web Site References or
> Resources?
>       (Greg Dotoli)
>    2. Re: Syslog Alert Strings----Web Site
> References or Resources?
>       (Anton Chuvakin)
>    3. Re: Syslog Alert Strings----Web Site
> References or Resources?
>       (Tina Bird)
>    4. Re: Syslog Alert Strings----Web Site
> References or Resources?
>       (Anton Chuvakin)
>    5. Re: Syslog Alert Strings----Web Site
> References or Resources?
>       (Daniel Cid)
>    6. Re: Syslog Alert Strings----Web Site
> References or Resources?
>       (todd glassey)
>    7. Firewall Log Analyzer (Adrian Grigorof)
>    8. logging in IETF draft on "Operational Security
> Current
>       Practices" (Anton Chuvakin)
>    9. Re: logging in IETF draft on "Operational
> Security
>       CurrentPractices" (todd glassey)
>   10. FW: [Syslog] WG Review: Recharter of Security
> Issues in
>       Network Event Logging (syslog) (Rainer
> Gerhards)
> 
> 
>
----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 22 Feb 2006 05:03:14 -0800 (PST)
> From: Greg Dotoli <gldotoli@private>
> Subject: [logs] Syslog Alert Strings----Web Site
> References or
> 	Resources?
> To: loganalysis@private
> Message-ID:
>
<20060222130314.69548.qmail@private>
> Content-Type: text/plain; charset=iso-8859-1
> 
> Does anyone know of a good site that contains common
> application level attack strings and system
> responses
> as they commonly occur in Syslog? I understand there
> are many flavors of syslog and net services, but
> until
> there is a standard, common alert strings to search
> for would be great. 
> 
> Since we're going through this multi-file log
> analysis without a commercial product, I'd like to
> find some good anomaly detection strings. Then I can
> take the strings and run them against a for loop of
> log files for hits. Who knows, there may be a site
> with service specific strings?
> Web, SMTP, SQL.....?
> 
> Thanks,
> Gregg
> 
> 
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 22 Feb 2006 12:40:26 -0500
> From: "Anton Chuvakin" <anton@private>
> Subject: [logs] Re: Syslog Alert Strings----Web Site
> References or
> 	Resources?
> To: loganalysis@private
> Message-ID:
> 
>
<b2591e2e0602220940r2c25fa6bk547f96c27be22bc7@private>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> On 2/22/06, Greg Dotoli <gldotoli@private> wrote:
> > Does anyone know of a good site that contains
> common
> > application level attack strings and system
> responses
> > as they commonly occur in Syslog?
> 
> Just curious, how big of a list you are looking for
> (and can handle)?
> Is it 'top 10' or 'top 500,000' that you are looking
> for?
> 
> --
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
>      http://www.chuvakin.org
> http://www.securitywarrior.com
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 22 Feb 2006 09:42:06 -0800
> From: "Tina Bird" <tbird@precision-guesswork.com>
> Subject: [logs] Re: Syslog Alert Strings----Web Site
> References or
> 	Resources?
> To: "'Greg Dotoli'" <gldotoli@private>,
> 	<loganalysis@private>
> Message-ID:
> <021001c637d7$4d06b7a0$6501a8c0@lindesfarne>
> Content-Type: text/plain;	charset="US-ASCII"
> 
> 
> > Does anyone know of a good site that contains
> common
> > application level attack strings and system
> responses
> > as they commonly occur in Syslog? I understand
> there
> > are many flavors of syslog and net services, but
> until
> > there is a standard, common alert strings to
> search
> > for would be great. 
> 
> once upon a time *sigh* loganalysis.org was going to
> be this site. we've
> alas never gotten a good mechanism in place for
> assembling either sample
> logs or signatures/config files/etc for parsing
> tools...
> 
> the best "reference" i've found such as you're
> describing is the
> configuration files for logsentry/logcheck (or
> whatever it's called now). it
> uses keywords, and the stock config files make a
> useful beginning.
> 
> http://sourceforge.net/projects/sentrytools
> 
> > Since we're going through this multi-file log
> > analysis without a commercial product, I'd like to
> > find some good anomaly detection strings. Then I
> can
> > take the strings and run them against a for loop
> of
> > log files for hits. Who knows, there may be a site
> > with service specific strings?
> > Web, SMTP, SQL.....?
> 
> there are a number of references for web server log
> messages. i'd *love* to
> see such a thing for SQL, but that's *tough* - most
> SQL attacks consist of
> "allowed" commands being used in bad ways, and don't
> leave useful traces in
> the logs. although again i'd love to be proven wrong
> there...
> 
> "Detecting SQL Injection in Oracle"
> http://www.securityfocus.com/infocus/1714
> 
> Suspicious Web server logs
> http://www.armbrustconsulting.com/LogEntries.html
> 
> and in general, http://www.loganalysis.org --> click
> on "Library" --> click
> on "Message Dictionaries" which is under the "Data
> Analysis" section.
> 
> and *alas* send me broken links, or other useful
> references you find...
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 22 Feb 2006 13:26:00 -0500
> 
=== message truncated ===

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Mar 13 2006 - 22:40:29 PST