RE: Automated analysis of logs?
From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 04/10/03
- Previous message: Brian Whitehead: "RE: pb with P2P..."
- Maybe in reply to: Mark G. Spencer: "Automated analysis of logs?"
- Next in thread: Kinsey, Robert: "RE: Automated analysis of logs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Apr 2003 12:19:41 +0100 From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie> To: <security-basics@securityfocus.com>
PERL is the answer to all your log questions. I sent on stuff before to
members of this list to parse IIS logs and isolate good traffic from
attacks based on known signatures such as "cmd.exe" etc and
"....\....\..." type stuff. It could all be logged into a database and
reports generated to your hearts content. Flashy web front ends are
also possible and also the ability to graph the whole thing with
GD::Graph routines.
So again PERL is your answer. Well worth a look as it was built with
log analysis and reporting in mind.
OR
Look at 'FastStats Analyzer' , 'http://www.10-strike.com/', and there
are more via search engines. But for customised solutions I'm afraid
you have to do it yourself. But it is worth it.
-----Original Message-----
From: H Carvey [mailto:keydet89@yahoo.com]
Sent: 09 April 2003 13:03
To: security-basics@securityfocus.com
Subject: Re: Automated analysis of logs?
In-Reply-To: <001d01c2fdf4$2c403c50$b600000a@alderon>
>Are there any open-source applications that I can drop
various kinds of =
>logs
>into (especially IIS logs) and get not only
statistics, but information
>and/or "warnings" about various kind of known activity?
I've written Perl scripts to do exactly this sort of
thing. The big issue is that not everyone clicks on
all of the check boxes when they configure IIS logging.
When I worked at a telecomm company, we had an ISP
that had a lot of IIS servers...it seemed as if no two
had the same items checked!
What I generally do is get an idea of what is the
'normal' activity. For example, on systems running
OWA, one would expect to see queries that begin w/
"exchange". Then I start filtering out all normal
traffic from the logs, narrowing that down.
Hope that helps,
Harlan
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection. http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free
technical support. Stop SPAM before it stops you.
-------------------------------------------------------------------
******************************************************************************
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster@sysnet.ie
******************************************************************************
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
- Previous message: Brian Whitehead: "RE: pb with P2P..."
- Maybe in reply to: Mark G. Spencer: "Automated analysis of logs?"
- Next in thread: Kinsey, Robert: "RE: Automated analysis of logs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
