> A Top 500 would be great. Maybe something like AV > vendors have their top 100 viruses, the top signatures by service, Web, DB, Mail, DNS, OSes etcd. > Maybe ,the most popular attack signatures, that > get thrown at devices both private and public. The > public strings holding more weight, maybe 70% > public, > 30% private. > > Just simple text list with no IDS proprietary > signatures. A quick reference for a script that scans any ASCII log file(s). > > > I appreciate your interest. > > > Thanks, > Gregg > > > > > > > > > > > --- loganalysis-request@private wrote: > > > Send LogAnalysis mailing list submissions to > > loganalysis@private > > > > To subscribe or unsubscribe via the World Wide > Web, > > visit > > > http://lists.shmoo.com/mailman/listinfo/loganalysis > > or, via email, send a message with subject or body > > 'help' to > > loganalysis-request@private > > > > You can reach the person managing the list at > > loganalysis-owner@private > > > > When replying, please edit your Subject line so it > > is more specific > > than "Re: Contents of LogAnalysis digest..." > > > > > > Today's Topics: > > > > 1. Syslog Alert Strings----Web Site References > or > > Resources? > > (Greg Dotoli) > > 2. Re: Syslog Alert Strings----Web Site > > References or Resources? > > (Anton Chuvakin) > > 3. Re: Syslog Alert Strings----Web Site > > References or Resources? > > (Tina Bird) > > 4. Re: Syslog Alert Strings----Web Site > > References or Resources? > > (Anton Chuvakin) > > 5. Re: Syslog Alert Strings----Web Site > > References or Resources? > > (Daniel Cid) > > 6. Re: Syslog Alert Strings----Web Site > > References or Resources? > > (todd glassey) > > 7. Firewall Log Analyzer (Adrian Grigorof) > > 8. logging in IETF draft on "Operational > Security > > Current > > Practices" (Anton Chuvakin) > > 9. Re: logging in IETF draft on "Operational > > Security > > CurrentPractices" (todd glassey) > > 10. FW: [Syslog] WG Review: Recharter of > Security > > Issues in > > Network Event Logging (syslog) (Rainer > > Gerhards) > > > > > > > ---------------------------------------------------------------------- > > > > Message: 1 > > Date: Wed, 22 Feb 2006 05:03:14 -0800 (PST) > > From: Greg Dotoli <gldotoli@private> > > Subject: [logs] Syslog Alert Strings----Web Site > > References or > > Resources? > > To: loganalysis@private > > Message-ID: > > > <20060222130314.69548.qmail@private> > > Content-Type: text/plain; charset=iso-8859-1 > > > > Does anyone know of a good site that contains > common > > application level attack strings and system > > responses > > as they commonly occur in Syslog? I understand > there > > are many flavors of syslog and net services, but > > until > > there is a standard, common alert strings to > search > > for would be great. > > > > Since we're going through this multi-file log > > analysis without a commercial product, I'd like to > > find some good anomaly detection strings. Then I > can > > take the strings and run them against a for loop > of > > log files for hits. Who knows, there may be a site > > with service specific strings? > > Web, SMTP, SQL.....? > > > > Thanks, > > Gregg > > > > > > > > > > ------------------------------ > > > > Message: 2 > > Date: Wed, 22 Feb 2006 12:40:26 -0500 > > From: "Anton Chuvakin" <anton@private> > > Subject: [logs] Re: Syslog Alert Strings----Web > Site > > References or > > Resources? > > To: loganalysis@private > > Message-ID: > > > > > <b2591e2e0602220940r2c25fa6bk547f96c27be22bc7@private> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > On 2/22/06, Greg Dotoli <gldotoli@private> > wrote: > > > Does anyone know of a good site that contains > > common > > > application level attack strings and system > > responses > > > as they commonly occur in Syslog? > > > > Just curious, how big of a list you are looking > for > > (and can handle)? > > Is it 'top 10' or 'top 500,000' that you are > looking > > for? > > > > -- --- loganalysis-request@private wrote: > Send LogAnalysis mailing list submissions to > loganalysis@private > > To subscribe or unsubscribe via the World Wide Web, > visit > http://lists.shmoo.com/mailman/listinfo/loganalysis > or, via email, send a message with subject or body > 'help' to > loganalysis-request@private > > You can reach the person managing the list at > loganalysis-owner@private > > When replying, please edit your Subject line so it > is more specific > than "Re: Contents of LogAnalysis digest..." > > > Today's Topics: > > 1. Syslog Alert Strings----Web Site References or > Resources? > (Greg Dotoli) > 2. Re: Syslog Alert Strings----Web Site > References or Resources? > (Anton Chuvakin) > 3. Re: Syslog Alert Strings----Web Site > References or Resources? > (Tina Bird) > 4. Re: Syslog Alert Strings----Web Site > References or Resources? > (Anton Chuvakin) > 5. Re: Syslog Alert Strings----Web Site > References or Resources? > (Daniel Cid) > 6. Re: Syslog Alert Strings----Web Site > References or Resources? > (todd glassey) > 7. Firewall Log Analyzer (Adrian Grigorof) > 8. logging in IETF draft on "Operational Security > Current > Practices" (Anton Chuvakin) > 9. Re: logging in IETF draft on "Operational > Security > CurrentPractices" (todd glassey) > 10. FW: [Syslog] WG Review: Recharter of Security > Issues in > Network Event Logging (syslog) (Rainer > Gerhards) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 22 Feb 2006 05:03:14 -0800 (PST) > From: Greg Dotoli <gldotoli@private> > Subject: [logs] Syslog Alert Strings----Web Site > References or > Resources? > To: loganalysis@private > Message-ID: > <20060222130314.69548.qmail@private> > Content-Type: text/plain; charset=iso-8859-1 > > Does anyone know of a good site that contains common > application level attack strings and system > responses > as they commonly occur in Syslog? I understand there > are many flavors of syslog and net services, but > until > there is a standard, common alert strings to search > for would be great. > > Since we're going through this multi-file log > analysis without a commercial product, I'd like to > find some good anomaly detection strings. Then I can > take the strings and run them against a for loop of > log files for hits. Who knows, there may be a site > with service specific strings? > Web, SMTP, SQL.....? > > Thanks, > Gregg > > > > > ------------------------------ > > Message: 2 > Date: Wed, 22 Feb 2006 12:40:26 -0500 > From: "Anton Chuvakin" <anton@private> > Subject: [logs] Re: Syslog Alert Strings----Web Site > References or > Resources? > To: loganalysis@private > Message-ID: > > <b2591e2e0602220940r2c25fa6bk547f96c27be22bc7@private> > Content-Type: text/plain; charset=ISO-8859-1 > > On 2/22/06, Greg Dotoli <gldotoli@private> wrote: > > Does anyone know of a good site that contains > common > > application level attack strings and system > responses > > as they commonly occur in Syslog? > > Just curious, how big of a list you are looking for > (and can handle)? > Is it 'top 10' or 'top 500,000' that you are looking > for? > > -- > Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA > http://www.chuvakin.org > http://www.securitywarrior.com > > > ------------------------------ > > Message: 3 > Date: Wed, 22 Feb 2006 09:42:06 -0800 > From: "Tina Bird" <tbird@precision-guesswork.com> > Subject: [logs] Re: Syslog Alert Strings----Web Site > References or > Resources? > To: "'Greg Dotoli'" <gldotoli@private>, > <loganalysis@private> > Message-ID: > <021001c637d7$4d06b7a0$6501a8c0@lindesfarne> > Content-Type: text/plain; charset="US-ASCII" > > > > Does anyone know of a good site that contains > common > > application level attack strings and system > responses > > as they commonly occur in Syslog? I understand > there > > are many flavors of syslog and net services, but > until > > there is a standard, common alert strings to > search > > for would be great. > > once upon a time *sigh* loganalysis.org was going to > be this site. we've > alas never gotten a good mechanism in place for > assembling either sample > logs or signatures/config files/etc for parsing > tools... > > the best "reference" i've found such as you're > describing is the > configuration files for logsentry/logcheck (or > whatever it's called now). it > uses keywords, and the stock config files make a > useful beginning. > > http://sourceforge.net/projects/sentrytools > > > Since we're going through this multi-file log > > analysis without a commercial product, I'd like to > > find some good anomaly detection strings. Then I > can > > take the strings and run them against a for loop > of > > log files for hits. Who knows, there may be a site > > with service specific strings? > > Web, SMTP, SQL.....? > > there are a number of references for web server log > messages. i'd *love* to > see such a thing for SQL, but that's *tough* - most > SQL attacks consist of > "allowed" commands being used in bad ways, and don't > leave useful traces in > the logs. although again i'd love to be proven wrong > there... > > "Detecting SQL Injection in Oracle" > http://www.securityfocus.com/infocus/1714 > > Suspicious Web server logs > http://www.armbrustconsulting.com/LogEntries.html > > and in general, http://www.loganalysis.org --> click > on "Library" --> click > on "Message Dictionaries" which is under the "Data > Analysis" section. > > and *alas* send me broken links, or other useful > references you find... > > > > ------------------------------ > > Message: 4 > Date: Wed, 22 Feb 2006 13:26:00 -0500 > === message truncated === _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Mar 13 2006 - 22:40:29 PST