------ =_NextPart_000_01BBDDE8.7F1D5300 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable There is a log/event monitoring application developed by Axent = technologies called Intruder Alert. (http://www.axent.com). It comes = with pre buit 'policies' on phrases to watch for. You can also take = action based on certain criteria Regards Brendan Faulds GLOBAL BUSINESS SOLUTIONS ---------- From: Mike Kienenberger[SMTP:mkienenb@arsc.edu] Sent: Wednesday, 27 November 1996 9:07 To: ids@uow.edu.au Subject: searching logs for key phrases What key phrases do people scan log files for? At our site, we log everything we can to a central "more secure" logging = =20 server. We divide our logging up into three files: SYSLOG.mail for all = mail, =20 SYSLOG.auth for authentication, and SYSLOG for everything else. On our IRIX 5.3 systems, I've found that searching for the following are = helpful : VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY = commands EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN = commands " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz = commands deni /usr/adm/*SYSLOG.auth check for denied net = cmds in SYS LOG fail /usr/adm/*SYSLOG.auth check for failed login =20 attempts (passwords = at =20 the login prompt; brute force attacks, etc) Does anyone have other things you look for on a regular basis? I'm eventually hoping that we'll start using one of the log filter = packages =20 out there on the net. Anyone compared the various log filtering packages out there? = Do any=20 of the packages come with preset standard patterns to search for? Thanks! --- Mike Kienenberger Arctic Region Supercomputing Center Systems Analyst (907) 474-6842 mkienenb@arsc.edu http://www.arsc.edu ------ =_NextPart_000_01BBDDE8.7F1D5300 Content-Type: application/ms-tnef Content-Transfer-Encoding: base64 eJ8+IjMAAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAENgAQAAgAAAAIAAgABBJAG AAABAAABAAAADAAAAAMAADADAAAACwAPDgAAAAACAf8PAQAAADsAAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAABpZHNAdW93LmVkdS5hdQBTTVRQAGlkc0B1b3cuZWR1LmF1AAAeAAIwAQAAAAUAAABT TVRQAAAAAB4AAzABAAAADwAAAGlkc0B1b3cuZWR1LmF1AAADABUMAQAAAAMA/g8GAAAAHgABMAEA AAARAAAAJ2lkc0B1b3cuZWR1LmF1JwAAAAACAQswAQAAABQAAABTTVRQOklEU0BVT1cuRURVLkFV AAMAADkAAAAACwBAOgEAAAACAfYPAQAAAAQAAAAAAAAD4igBCIAHABgAAABJUE0uTWljcm9zb2Z0 IE1haWwuTm90ZQAxCAEEgAEAIwAAAFJFOiBzZWFyY2hpbmcgbG9ncyBmb3Iga2V5IHBocmFzZXMA YAwBBYADAA4AAADMBwsAHAAQACQAHwAEAFEBASCAAwAOAAAAzAcLABwAEAAhACEABABQAQEJgAEA IQAAADU2MTEyMzUyRkQ0OEQwMTE4MDU0MDBBMDI0MDU4MTNCALAGAQOQBgDMBgAAEAAAAAsAIwAA AAAAAwAmAAAAAAALACkAAAAAAAMANgAAAAAAQAA5AEAIYxzu3LsBHgBwAAEAAAAjAAAAUkU6IHNl YXJjaGluZyBsb2dzIGZvciBrZXkgcGhyYXNlcwAAAgFxAAEAAAAWAAAAAbvc7hxbUiMRV0j9EdCA VACgJAWBOwAAAwAGEG5QCv4DAAcQLQUAAB4ACBABAAAAZQAAAFRIRVJFSVNBTE9HL0VWRU5UTU9O SVRPUklOR0FQUExJQ0FUSU9OREVWRUxPUEVEQllBWEVOVFRFQ0hOT0xPR0lFU0NBTExFRElOVFJV REVSQUxFUlQoSFRUUDovL1dXV0FYRU4AAAAAAgEJEAEAAAB7BQAAdwUAAFwKAABMWkZ1ftn0z/8A CgEPAhUCqAXrAoMAUALyCQIAY2gKwHNldDI3BgAGwwKDMgPFAgBwckJxEeJzdGVtAoMztwLkBxMC gzQSzBTFfQqAiwjPCdk7F58yNTUCgAcKgQ2xC2BuZzEwMy8UUAsKFFEL8mMAQCBUEmgEkGUgBAAg YSDhFzBnL2V2CfAFQARgrQMAdAWwC4BnHQBwC1CgaWNhdGkCICANsIsdgBcwcAmAIGJ5FLCueB2S E9ARcG4XIWcIkFMEIB7QbGwfsUkCMHIedQSBFLAhcAAgLiAogmgCQHA6Ly93IzCULmEgIi4FoG0p IpAeSQVAI9EHkQPwdGggExNQHMBidR4AICdwJwbwHsAhAScgHxFwaPxyYRGwBCAeECSwHuARcOog AhByIpBZCGAhMQOg7QdAcycQAZBrHMAA0B7z7mImsR/AHxFjImELcSEwHwUQE9AHIQqFCoVSZWeV CxFzKwxCF6BuZAOREEZhdWwsN0dMTwhCQUwtIFVTSU4ERVMF8U9MVVRJOE9OUysMCvQesDE4gjAC 0WktMTQ0DfDnDNAx8wtZMTYKoANgIHF9BUAtNBcKhzLLDDAzlka9A2E6NR4zlgyCBdBpKNGqSwiQ bgnwYgSQZwSQAFtTTVRQOm1rJTk0QBGRYy4JgHVdvzS/Nc0GYAIwNv84C1cJgAU5UHMtcHksIDI3 HQewbx2ABtAiETE5OcA2IDk6MDc7bzXNLFRvPa84C2ksMEB1bm8jUDshI2B1QY88fnX8Ymoz0UOv OAsRsArAEXDvHkIdMQQgJ5EgKNAf8CaFczAfMSMzNjKXG9Uzllf/EYAFQEvpHzAnEB+gH5AhcH9K oCgiHTEngAMQB5EnkT99KwxBBUAIYUqgKqFAEHfnHMBRkh1xcnkk4B5CVCE/KCInAR0QKgAhwQdA ICKXBGAcsRGwYwhwZSIdIu8g8B5RK2YRsHJUoSKQP3F5HzBpdkWAHMBTgldmdf5wHNACMCiRJpAJ 4FHESNDIU1lTLpBHLgDAAxH/S6IhUR3AXCFAECtmW6UtwP8k4VxjXkEdkR7FQBAAcB/AX1ukS5NU mR9wEbAuKwxPAwOgU4JJUklYIDUsLjNKoBOzc0AQSSf7HYAngXVf0STgT7FKuEuif17hJ4EhYEXQ HkMcsRyQbCxwZi3QCoU6KwxWUgxGWVfQaTgvdXNywC9hZG0vKluqV9D7EXAFkGtc00tIaPMj0QOB 4Sw3RVhQTmk/ak9rX/9Lk23zbQ1XQG0FcuFuv2/P32vcDbAlUB1QA/B6bP4Khf8NsAMAbjpuf3SG XjN1VnZ07wMAH7E5UCRBbSwwWnFbkvcKhVvRCoVmdRR/L3o/e0//fsIfsSDSA6ArZh7gE9EFMO0E ICgKsAQQdwWwLDeFT/+GX4dviH9/gk+xK2ZmAoLU+zORg/E7H9Ah4BPQJ4IqAJuDogDQa2PxEcBj KSsMbERvB5EAcHkCIGcBYf9kQTOwHJFawR5BBCCOgCgAvRcwb3v0HxEdEBegZy3Q3wrBKXEEAFJt ZCBtVIICMPZ1IVEf8GgfkB5CZNNUIP4nXLETwArABUB0AB5CjpJ8b2aKdlHCKrElAIyRYf85sAQg K2YIYCBRHJMCIIoZ+3zBWMFBjnQj0QqxH7FmAv52CsAfAHQAlkkeQpcHmBfeP1fQjhCOUpeXZooZ lwf/JGIktxGxlNItYQsglvGDwf8EoCbjSrRSLwXAHIAAcIywfiEKhTSION9/ggcQKRFj/yvSHwJI YB+gSuCLQV5AHkL+Qx2RBJBdVmOkmdEHQBOxCX+EKDlBYCkgNDfANC02ODQyCoU6T/9/giLKOuUr DE0PMpcVYk7pCwqFFsEAsrAAAwAQEAAAAAADABEQAAAAAEAABzDANsqx7dy7AUAACDDANsqx7dy7 AR4APQABAAAABQAAAFJFOiAAAAAANCg= ------ =_NextPart_000_01BBDDE8.7F1D5300--