Security Basics mailing list archives

Re: Automated analysis of logs?

From: "K. K. Mookhey" <cto () nii co in>
Date: Wed, 9 Apr 2003 10:55:02 +0530

Hi Mark,
I am not sure if this is useful, and I am aware that there are tools to do this for syslog and Apache logs. But, we at 
NII just released a generic log analyzer, called, um..Log Analyzer.
Its available for download with source code at http://www.nii.co.in/research/tools.html
You need to point it to the directory containing your IIS log files and a pattern file containing attack signatures. In 
fact, the download comes with a default match.pat file which contains IIS attack signatures.
However, it won't give you any statistics, only the lines which match the signatures and the log files in which they 
occur. Since its a command-line tool you can schedule its running with 'at'. You can also specify the file names to 
match. For instance if you only want files from a certain day onwards, you can specify those files names with the -t 
switch.
Cheers,
K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Web: www.nii.co.in
=================================
Security Auditing Handbooks
http://www.nii.co.in/research/handbook.html
=================================


----- Original Message ----- 
From: "Mark G. Spencer" <mspencer () evidentdata com>
To: <security-basics () securityfocus com>
Sent: Tuesday, April 08, 2003 10:57 PM
Subject: Automated analysis of logs?


I read through much of the prior thread on analysis of logs and apparently
the applications mentioned will provide statistics, but they don't actually
make any determinations about activity. 

Are there any open-source applications that I can drop various kinds of logs
into (especially IIS logs) and get not only statistics, but information
and/or "warnings" about various kind of known activity?  Things like Nimda
scanning, backdoor attempts, etc.  I'm not looking for 100% precision when
identifying activity, but if I can identify or in some cases filter out all
known activity and concentrate on unknown, that would be really helpful.



-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------

Current thread:

Automated analysis of logs? Mark G. Spencer (Apr 08)
- Re: Automated analysis of logs? K. K. Mookhey (Apr 09)
- Re: Automated analysis of logs? Tomasz Onyszko (Apr 10)
- <Possible follow-ups>
- RE: Automated analysis of logs? Moeckel, Sharon (Apr 09)
  - Event correlation and log Analysis techniques? Dr. S. A. Vetha Manickam (Apr 10)
- Re: Automated analysis of logs? H Carvey (Apr 09)
- RE: Automated analysis of logs? Trevor Cushen (Apr 10)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 12)
  - Re: Automated analysis of logs? Jon Pastore (Apr 14)
- RE: Automated analysis of logs? Kinsey, Robert (Apr 15)