Re: searching logs for key phrases

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Dwight Hubbard: "RE: Signs of an Intruder"
• Previous message: Vos, Arjan: "RE: searching logs for key phrases"
• Maybe in reply to: Mike Kienenberger: "searching logs for key phrases"

     Scanning for specific patterns and filtering out noise to find new 
     attack patterns should both be used together.

     Once an attack signature is identified, it is useful to create a rule 
     that will identify such an attack in the future and deal with it 
     appropriately.

     For attacks you haven't seen before it is critical to filter out 
     normal activity to detect the attack.


     Bryan Kingsford
     Omniguard/Intruder Alert Project Manager
     AXENT Technologies, Inc.
     brykin@axent.com


______________________________ Forward Header __________________________________
Subject: Re: searching logs for key phrases
Author:  Guido van Rooij <Guido.vanRooij@nl.cis.philips.com> at ccgate-ut
Date:    12/1/96 8:03 PM



Mike Kienenberger wrote:
> 
> VRFY            /usr/adm/*SYSLOG.mail   check mail logs for VRFY commands 
> EXPN            /usr/adm/*SYSLOG.mail   check mail logs for EXPN commands
> " command "     /usr/adm/*SYSLOG.mail   check mail logs for debug/wiz commands
> 
> deni                    /usr/adm/*SYSLOG.auth   check for denied net cmds in SYS
> LOG
> fail                    /usr/adm/*SYSLOG.auth   check for failed login  
> attempts (passwords
>                                                                         at  
> the login prompt; brute force attacks, etc)
> 
> Does anyone have other things you look for on a regular basis?

It is in general a bad idea to scan for interesting things. What should 
be done in stead is filter out the non-interesting ones.

-Guido

• Next message: Dwight Hubbard: "RE: Signs of an Intruder"
• Previous message: Vos, Arjan: "RE: searching logs for key phrases"
• Maybe in reply to: Mike Kienenberger: "searching logs for key phrases"