Re: searching logs for key phrases

Tracy R. Reed (treed@straylight.ultraviolet.org)
Wed, 27 Nov 1996 15:37:41 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mark_W_Loveless@smtp.bnr.com: "Re[2]: Audit trails"
Previous message: Guido van Rooij: "Re: searching logs for key phrases"
In reply to: Mike Kienenberger: "searching logs for key phrases"
Next in thread: Troy: "Re: searching logs for key phrases"

>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ids
Precedence: bulk
Reply-To: ids

On Tue, 26 Nov 1996, Mike Kienenberger wrote:

> What key phrases do people scan log files for?

logcheck searches for these keywords as signs of hacking:

"wiz"
"WIZ"
"debug"
"DEBUG"
ATTACK
nested
VRFY bbs
VRFY decode
VRFY uudecode
VRFY lp
VRFY demo
VRFY guest

and these keywords as signs of general suspicious activity or
misconfigurations:

deny
deny host
su:
su root
ROOT LOGIN
alias database
LOGIN FAILURE
LOGIN REFUSED
shutdown
wiz
WIZ
debug
DEBUG
smrsh
failed
denied
vrfy
VRFY
expn
EXPN
reject
admin
rshd 
FAILURE
REFUSED
BAD   
permitted
PERMITTED
rexec
illegal
ILLEGAL
courtney 
ATTACK
natas
SATAN
setsender
securityalert
nested
sucked
-ERR Password
!=
SITE EXEC
RETR group
RETR passwd
RETR pwd.db
CWD etc  


----------
Tracy Reed
http://www.ultraviolet.org
http://www.linux.org - Escape the Gates of Hell

Next message: Mark_W_Loveless@smtp.bnr.com: "Re[2]: Audit trails"
Previous message: Guido van Rooij: "Re: searching logs for key phrases"
In reply to: Mike Kienenberger: "searching logs for key phrases"
Next in thread: Troy: "Re: searching logs for key phrases"