PaulDotCom mailing list archives
Re: best automated way to construct a timeline from websense logs?
From: Champ Clark III <cclark () quadrantsec com>
Date: Sun, 09 Jun 2013 13:45:31 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 liblognorm is really good for extracting certain types of information from logs (src ip, dst ip, usernames, etc), but I'm not sure it's going to help in this case. Here is my liblognorm page: https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm You might be able to pump the logs into a ELSA or something like that. We wrote a custom Syslog/MySQL/Sphinx engine that we'd use in cases just like this (command line driven). Unfortunately, it's not open source :( You might be better off sticking with grep/awk/sed/cut/etc. Also, Websense will store in a CEF format which should make it easier to extract what you want. On 6/9/13 1:16 AM, Johan Peder Møller wrote:
Have looked at liblognorm. No personal experience, but remeber having it recomended at some time. rgds Johan On Fri, Jun 7, 2013 at 3:36 AM, allison nixon <elsakoo () gmail com <mailto:elsakoo () gmail com>> wrote: So I have several gigs of webnonsense logs and I am trying to construct a timeline of malware infection as it spreads from IP to IP. I already know what the malicious URLs look like so that's not the issue. I want to be able to build a timeline of activity to describe the first moment a computer was infected and I want to illustrate when the phone home traffic hops from domain to domain.
- -- - - Champ Clark III (cclark () quadrantsec com) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRtL87AAoJENnmXt7Lmc3Kb6oH/AmXGcBKtTdIfCWyqq9Luzsa lPbSWHM1Bj7M8AaA2kVrJWjECJ85UPyPTmMRWu0ZiGzv0lOGGNE55bgqyGfQnY/v uE1X19oed+Z1kI0yLQ7WNNMfOrIEz3VoUH9g6WnMNbuRGWVPrNVdLz1zJ3HcKWNr AD+q9XLmcjM9yL83OaiFXoSWZTaTZM3tOwpQ2rsOgalUZUHN6Fb78PHQHAAFYCVa WAcNxU4ItErSboZpsgchovU4wR6sLamcu4kuuBvhdZma17a67Q3b7+ixazYigUvw e9w1wCQhhYo45Wy9gIB/Rn5aIqPm5O3fV0/xVG6U3yyBAGI25aesCnedPa3JY+k= =sOLA -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- best automated way to construct a timeline from websense logs? allison nixon (Jun 07)
- Re: best automated way to construct a timeline from websense logs? Alex (Jun 09)
- Re: best automated way to construct a timeline from websense logs? Johan Peder Møller (Jun 09)
- Re: best automated way to construct a timeline from websense logs? anthony kasza (Jun 09)
- Re: best automated way to construct a timeline from websense logs? Champ Clark III (Jun 09)
- Re: best automated way to construct a timeline from websense logs? Champ Clark III (Jun 09)
- Re: best automated way to construct a timeline from websense logs? allison nixon (Jun 09)
- Re: best automated way to construct a timeline from websense logs? Chris Campbell (Jun 10)
- Re: best automated way to construct a timeline from websense logs? allison nixon (Jun 11)
- Re: best automated way to construct a timeline from websense logs? Bojan Zdrnja (SANS ISC) (Jun 13)
- Re: best automated way to construct a timeline from websense logs? Guillaume Ross (Jun 11)