[444] in Intrusion Detection Systems
New version of tklogger available
daemon@ATHENA.MIT.EDU (Doug Hughes)
Tue Dec 5 02:32:28 1995
From: Doug Hughes <Doug.Hughes@Eng.Auburn.EDU>
Date: Mon, 4 Dec 1995 10:25:40 -0600
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
I've done some alterations/improvements on tklogger.
- Improved support for regular expression matching and options for
regular expression/exact math and case [in]sensitive matching
But the major difference:
- removed need for TclX
This means it should be much more portable to mac/windows/NT type
platforms. The only differences that may need to be made would be
in the area of home directories, since by default it looks in your
home directory for the config file. I'm not sure how to go about
rectifying this for those platforms, since they treat this concept
a little differently in each case. If anybody has some portable
ideas on this, I'd be happy to integrate them.
----- What is tklogger? ------
It's a program that monitors log files in near-realtime on a user-defined
polling interval. It has two windows, one for low priority and one for
high priority items. High priority items are displayed in any color
matching *red* and immediately deiconize and raise the logger window to
the front of the display. Low priority items can be any color that
does not have red in it, or just plain black.
At its simplest, tklogger watches log files generated by syslog. But,
the log files can be generated in any fashion that you wish, or that
your firewall or other system might desire. tklogger just watches
the logs and displays results.
Tips:
If you use syslog, forward your logs to a central, secure, restricted
access machine. This way, even if somebody does a flood type attack
on syslog, you're sure to notice it.
Don't set the polling interval below 5 seconds, particularly if you
are watching lots of different files.
Don't use too many regular expressions for pattern matching, the results
may slow down the application considerably (unless you have very little
information being logged)
You can either have lots of files, or lots of regular expressions, but
try not to mix both. I have not stress tested it, but at a polling interval
of ten seconds, it should easily handle 30-60 messages.
Log what you think is important to the priority window. If you try
to log too much stuff, you are likely to get very annoyed at the window
constantly popping to the front. It works best if you log the information
that is important to you, and have other people logging information important
to them. Logging too much information will annoy you, and make you less
likely to notice the really important stuff.
This works extremely well with tcp_wrappers, klaxon, courtney, and
other intrusion detection/port monitoring/log generating applications.
here's a sample configuration file and some comments:
- file operations specify a valid file name and a handle for the file
to use internally to the program
- color operations are used to associate colors with file handles (not
all handles have to have colors, but a color must have a handle)
- match operations use regular expressions to look for specific
keywords and highlight those differently and prioritized above the
generic 'color' operation
- ignore operations can be used like match operations
file auth /var/log/authlog
file daemon /var/log/daemon
file local0 /var/log/local0.info
file local1 /var/log/local1.note
file local2 /var/log/local2.warn
file local3 /var/log/local3.note
file maillog /var/log/maillog
color local0 forestgreen
color local1 lightseagreen
color local2 magenta
color local3 red1
color auth red2
match {LOGIN FAILURE} mediumvioletred
match (pgcntd|refused) red4
match portwatcher red3
match (vrfy|expn) violetred
ignore xntpd
-- What do I need?
you need a working copy of wish (Tcl/Tk executable)
Source code for unix, and binaries for mac/windows/NT are available at:
ftp.sunlabs.com:pub/tcl
There is also a collection of Web pages on Tcl and Tk at the URL
http://www.sunlabs.com/research/tcl.
-- Where do I get tklogger?
ftp.eng.auburn.edu:pub/doug/tklogger
ftp.eng.auburn.edu:pub/doug/tklogger.asc (ASCII PGP signed version)
ftp.eng.auburn.edu:pub/doug/tklogger.pgp (Binary PGP signed version)
http://www.eng.auburn.edu/users/doug/second.html (includes configuration
guidelines mentioned above)
There is also a mirror on coast, but that version is currently not up
to date (though it should be soon).
Doug Hughes Engineering Network Services
doug@eng.auburn.edu Auburn University
