Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 2000-q1

NFR Wizards Archives: Re: Tools to correlate attacks b/w diff.

Re: Tools to correlate attacks b/w diff. logs

Subject: Re: Tools to correlate attacks b/w diff. logs
From: Rafi Sadowsky (rafimeron.openu.ac.il)
Date: Fri Jan 14 2000 - 02:12:49 CST

Next message: Mikael Olsson: "Re: How should NAT terminate ?"
Previous message: Adrian Brinton: "RE: reverse proxy using apache"
In reply to: Pete Storm: "Tools to correlate attacks b/w diff. logs"
Reply: Rafi Sadowsky: "Re: Tools to correlate attacks b/w diff. logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Logcheck will tail mmultiple logfiles with som pattern matching
<ftp://ftp.cert.dfn.de/pub/tools/audit/logcheck/logcheck-1.01.tar.gz>

Logsurfer - will only do one file at a time but with multiple contexts
( a context can be opened on a regexp match & continue collecting lines
until a timeout , or report line X only if line Y doesn't get logged
within a timeout)
<http://www.cert.dfn.de/eng/logsurf/>

-- 
Rafi Sadowsky                                   rafioumail.openu.ac.il
Network/System/Security  VoiceMail: +972-3-646-0592   FAX: +972-3-646-5410
       Mangler ( :-)      |    member  ILAN-CERT(CERTCERT.AC.IL)
Open University of Israel |   (PGP key -> )  http://telem.openu.ac.il/~rafi
On Tue, 11 Jan 2000, Pete Storm wrote:
> Hi all,
> 
> Does anyone know of a tool out there that will allow
> me to correlate incidents between several different
> logs?  For example, if I see an attempt to pull off a
> php exploit on my IDS it stands to reason that I'll
> see a similar log entry on my web server.  What I'm
> looking for is something that will pull these two
> records out of the individual logs and place them in
> an "incident" log as a related event.
> 
> The current problem is that we're talking about
> hundreds of thousands of log entries.  Suppose I could
> Perl it, but I was kinda hoping there might be a
> commercial/shareware tool out there already that could
> do it so much better than I could.
> 
> thanks,
> phs
> __________________________________________________
> Do You Yahoo!?
> Talk to your friends online with Yahoo! Messenger.
> http://im.yahoo.com
> 
>

Next message: Mikael Olsson: "Re: How should NAT terminate ?"
Previous message: Adrian Brinton: "RE: reverse proxy using apache"
In reply to: Pete Storm: "Tools to correlate attacks b/w diff. logs"
Reply: Rafi Sadowsky: "Re: Tools to correlate attacks b/w diff. logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Sat Jan 15 2000 - 22:08:31 CST