[786] in Intrusion Detection Systems


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: searching logs for key phrases

daemon@ATHENA.MIT.EDU (Tracy R. Reed)
Sun Dec 1 20:40:47 1996

Date: Wed, 27 Nov 1996 15:37:41 -0800 (PST)
From: "Tracy R. Reed" <treed@straylight.ultraviolet.org>
To: ids@uow.edu.au
In-Reply-To: <199611270737.SAA21286@wyrm.its.uow.edu.au>

>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-ids
Precedence: bulk
Reply-To: ids

On Tue, 26 Nov 1996, Mike Kienenberger wrote:

> What key phrases do people scan log files for?

logcheck searches for these keywords as signs of hacking:

"wiz"
"WIZ"
"debug"
"DEBUG"
ATTACK
nested
VRFY bbs
VRFY decode
VRFY uudecode
VRFY lp
VRFY demo
VRFY guest

and these keywords as signs of general suspicious activity or
misconfigurations:

deny
deny host
su:
su root
ROOT LOGIN
alias database
LOGIN FAILURE
LOGIN REFUSED
shutdown
wiz
WIZ
debug
DEBUG
smrsh
failed
denied
vrfy
VRFY
expn
EXPN
reject
admin
rshd 
FAILURE
REFUSED
BAD   
permitted
PERMITTED
rexec
illegal
ILLEGAL
courtney 
ATTACK
natas
SATAN
setsender
securityalert
nested
sucked
-ERR Password
!=
SITE EXEC
RETR group
RETR passwd
RETR pwd.db
CWD etc  


----------
Tracy Reed
http://www.ultraviolet.org
http://www.linux.org - Escape the Gates of Hell


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[786] in Intrusion Detection Systems

Re: searching logs for key phrases

daemon@ATHENA.MIT.EDU (Tracy R. Reed)Sun Dec 1 20:40:47 1996

daemon@ATHENA.MIT.EDU (Tracy R. Reed)
Sun Dec 1 20:40:47 1996