Re: Tools to correlate attacks b/w diff. logs

[Rafi Sadowsky <rafi () meron openu ac il>]

Logcheck will tail mmultiple logfiles with som pattern matching
 <ftp://ftp.cert.dfn.de/pub/tools/audit/logcheck/logcheck-1.01.tar.gz>

Logsurfer - will only do one file at a time but with multiple contexts 
( a context can  be opened on a regexp match & continue collecting lines
 until a timeout , or report line X only if line Y doesn't get logged
  within a timeout)
 <http://www.cert.dfn.de/eng/logsurf/>

-- 
Rafi Sadowsky                                   rafi () oumail openu ac il
Network/System/Security  VoiceMail: +972-3-646-0592   FAX: +972-3-646-5410
       Mangler ( :-)      |    member  ILAN-CERT(CERT () CERT AC IL)
Open University of Israel |   (PGP key -> )  http://telem.openu.ac.il/~rafi


On Tue, 11 Jan 2000, Pete Storm wrote:

> Hi all,
>
> Does anyone know of a tool out there that will allow
> me to correlate incidents between several different
> logs?  For example, if I see an attempt to pull off a
> php exploit on my IDS it stands to reason that I'll
> see a similar log entry on my web server.  What I'm
> looking for is something that will pull these two
> records out of the individual logs and place them in
> an "incident" log as a related event.
>
> The current problem is that we're talking about
> hundreds of thousands of log entries.  Suppose I could
> Perl it, but I was kinda hoping there might be a
> commercial/shareware tool out there already that could
> do it so much better than I could.
>
> thanks,
> phs
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com