[2635] in WWW Security List Archive
Re: Monitoring logs
daemon@ATHENA.MIT.EDU (Adam Shostack)
Thu Aug 15 21:42:55 1996
From: Adam Shostack <adam@homeport.org>
To: tauzell@math.umn.edu (David Tauzell)
Date: Thu, 15 Aug 1996 19:59:34 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.GSO.3.93.960815092512.11627A-100000@birch.math.umn.edu> from "David Tauzell" at Aug 15, 96 09:26:10 am
Errors-To: owner-www-security@ns2.rutgers.edu
David Tauzell wrote:
| What kinds of things to people look for when monitoring logs for security
| breaches?
The unexpected stuff, of course. :)
Seriously though, the correct answer is not to look for stuff, but to
filter out the expected. This can take a little tweaking of perl
regexps. However, the benefit is that the new attack log messages
show up in your logs, since they're unlikely to result in something
that you're filtering.
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
