Firewall Wizards mailing list archives
Re: Tools to correlate attacks b/w diff. logs
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 14 Jan 2000 12:43:38 -0600 (CST)
Yes like swatch, though, if I recall, swatch was limited to one file, while logcheck can monitor multiple files. Thanks, Ron DuFresne On Fri, 14 Jan 2000, Bryan Swann wrote:
This sounds just like the tool called swatch that has been around for awhile. It monitors the log files and has several ways to alert an administrator when it gets a hit. "R. DuFresne" wrote:Abstract Logcheck is software package that is designed to automatically run and check system log files for security violations and unusual activity. Logcheck utilizes a program called logtail that remembers the last position it read from in a log file and uses this position on subsequent runs to process new information. All source code is available for review and the implementation was kept simple to avoid problems. This package is a clone of the frequentcheck.sh script from the Trusted Information Systems Gauntlet(tm) firewall package. TIS has granted permission for me to clone this package. -- crowland () psionic com http://www.lh.umu.se/%7Ebjorn/mhonarc-files/linux-securitity Thanks, Ron DuFresne On Tue, 11 Jan 2000, Pete Storm wrote:Hi all, Does anyone know of a tool out there that will allow me to correlate incidents between several different logs? For example, if I see an attempt to pull off a php exploit on my IDS it stands to reason that I'll see a similar log entry on my web server. What I'm looking for is something that will pull these two records out of the individual logs and place them in an "incident" log as a related event. The current problem is that we're talking about hundreds of thousands of log entries. Suppose I could Perl it, but I was kinda hoping there might be a commercial/shareware tool out there already that could do it so much better than I could. thanks, phs __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior consultant: darkstar.sysinfo.com
http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
Current thread:
- Tools to correlate attacks b/w diff. logs Pete Storm (Jan 12)
- Re: Tools to correlate attacks b/w diff. logs R. DuFresne (Jan 13)
- Re: Tools to correlate attacks b/w diff. logs Bryan Swann (Jan 16)
- Re: Tools to correlate attacks b/w diff. logs R. DuFresne (Jan 16)
- Re: Tools to correlate attacks b/w diff. logs Bryan Swann (Jan 16)
- RE: Tools to correlate attacks b/w diff. logs Shaun Moran (Jan 13)
- Re: Tools to correlate attacks b/w diff. logs Rafi Sadowsky (Jan 15)
- <Possible follow-ups>
- RE: Tools to correlate attacks b/w diff. logs Desai, Ashish (Jan 15)
- Re: Tools to correlate attacks b/w diff. logs R. DuFresne (Jan 13)