Scanning for specific patterns and filtering out noise to find new attack patterns should both be used together. Once an attack signature is identified, it is useful to create a rule that will identify such an attack in the future and deal with it appropriately. For attacks you haven't seen before it is critical to filter out normal activity to detect the attack. Bryan Kingsford Omniguard/Intruder Alert Project Manager AXENT Technologies, Inc. brykin@axent.com ______________________________ Forward Header __________________________________ Subject: Re: searching logs for key phrases Author: Guido van Rooij <Guido.vanRooij@nl.cis.philips.com> at ccgate-ut Date: 12/1/96 8:03 PM Mike Kienenberger wrote: > > VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands > EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands > " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands > > deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS > LOG > fail /usr/adm/*SYSLOG.auth check for failed login > attempts (passwords > at > the login prompt; brute force attacks, etc) > > Does anyone have other things you look for on a regular basis? It is in general a bad idea to scan for interesting things. What should be done in stead is filter out the non-interesting ones. -Guido