OsAudit v0.1 (log gathering, monitoring and analysis) available.

• Previous message: Abbott, Michael: "RE: antivirus comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Feb 2005 15:16:17 -0300 (ART)
To: security-basics@securityfocus.com

OsAudit version 0.1 is available for download.

OsAudit is a complete system for log gathering,
monitoring and analysis. It has two different running
modes: server and client.

In client mode, OsAudit will read the logs and forward
them (encrypted) to the server station.
In server mode, OsAudit will receive external logs
from the clients or from any other device that can
send remote syslog messages and analyze them.

OsAudit uses (right now) 3 different methods to
analyze the logs.

It begins analyzing the logs against the FTS (first
time seem) database. The FTS is only used for some
specific logs (like sshd connections, su usages, sudo,
snort rules, etc). For example, every time a new user
log in to a system, the FTS will fire.
It will cause some false positives in the beginning,
but after one or two days it will become very usefull
to detect a lot of possible intrusions. The same thing
to snort logs. Most false positives messages will stop
after a few hours and only "new" problems (probably
not false-positives) will be notified.

After the FTS analysis, OsAudit will analyze the logs
against the generated statistics. If for example,
during the Sundays the average number of logs received
between 9pm and 10pm is 500, and during one day it
receive 600, an alert will be generated. OsAudit will
analyze the logs against the average logs for the hour
and for the hour/weekday combination.

The last step in the analysis in the rule matching.
All OsAudit rules are in the XML format and are very
easy to manage. We have more than 60 different rules
matching many common problems. The currently rules can
be viewed in the etc/rules directory.

OsAudit right now can perfectly read and analyze the
following logs: syslog, snort-full, snort-fast,
barnyard dump_log, apache err log and any other log
file that looks like syslog (or are well formated)

For more information, go to:

http://www.ossec.net/osaudit/
http://osaudit.sourceforge.net
http://sourceforge.net/projects/osaudit/

For comments, suggetions or questions:
daniel.cid @ (at) gmail.com

Thanks,

Daniel B. Cid, CISSP
daniel.cid @ (at) gmail.com

        
        
                
_______________________________________________________
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis

• Previous message: Abbott, Michael: "RE: antivirus comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages OsAudit v0.1 (log gathering, monitoring and analysis) available. ... OsAudit version 0.1 is available for download. ... In client mode, OsAudit will read the logs and forward ... send remote syslog messages and analyze them. ... (Focus-IDS) PIX Log file analyzer ... Our client wants us to analyze their PIC fw logs. ... file for each day created on our SQL server. ... (comp.security.firewalls) RE: ISA 2004 Firewall client ... The green arrow only shows up when the client needs to initiate a ... firewall session. ... Part 3: I want to explain How the logs and sessions work: ... Collect the ISA firewall client configuration information ... (microsoft.public.windows.server.sbs) Re: 1058 and 1030 errors revisited ... Are you sure about the symptoms ie when the11th or 12th user logs ... Does the issue occour only on some machines? ... We have four servers to ... There are about sixty client ... (microsoft.public.windows.group_policy) Re: Firewall Client Deployment ... data\microsoft\firewall client 2004" ... the FWCMgmt item in the Start Menu, an install script runs but errors out, ... When an "administrator" logs into the XPSP2 machine, ... I am currently testing deployment scenarios for the firewall client software ... (microsoft.public.isa.clients)