[776] in Intrusion Detection Systems
searching logs for key phrases
daemon@ATHENA.MIT.EDU (Mike Kienenberger)
Wed Nov 27 06:35:35 1996
From: Mike Kienenberger <mkienenb@arsc.edu>
Date: Tue, 26 Nov 96 13:07:53 -0900
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
What key phrases do people scan log files for?
At our site, we log everything we can to a central "more secure" logging
server. We divide our logging up into three files: SYSLOG.mail for all mail,
SYSLOG.auth for authentication, and SYSLOG for everything else.
On our IRIX 5.3 systems, I've found that searching for the following are helpful
:
VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands
EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands
" command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands
deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS
LOG
fail /usr/adm/*SYSLOG.auth check for failed login
attempts (passwords
at
the login prompt; brute force attacks, etc)
Does anyone have other things you look for on a regular basis?
I'm eventually hoping that we'll start using one of the log filter packages
out there on
the net. Anyone compared the various log filtering packages out there? Do any
of
the packages come with preset standard patterns to search for?
Thanks!
---
Mike Kienenberger Arctic Region Supercomputing Center
Systems Analyst (907) 474-6842
mkienenb@arsc.edu http://www.arsc.edu
