[789] in Intrusion Detection Systems
Re: searching logs for key phrases
daemon@ATHENA.MIT.EDU (Troy)
Sun Dec 1 20:58:45 1996
Date: Thu, 28 Nov 1996 04:25:34 -0500
From: infoline@hutton.net (Troy)
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Mike Kienenberger wrote:
>
> What key phrases do people scan log files for?
>
> At our site, we log everything we can to a central "more secure" logging
> server. We divide our logging up into three files: SYSLOG.mail for all mail,
> SYSLOG.auth for authentication, and SYSLOG for everything else.
>
> On our IRIX 5.3 systems, I've found that searching for the following are helpf
ul
> :
>
> VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands
> EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands
> " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands
>
> deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS
> LOG
> fail /usr/adm/*SYSLOG.auth check for failed login
> attempts (passwords
> at
> the login prompt; brute force attacks, etc)
>
> Does anyone have other things you look for on a regular basis?
>
> I'm eventually hoping that we'll start using one of the log filter packages
> out there on
> the net. Anyone compared the various log filtering packages out there? Do an
y
> of
> the packages come with preset standard patterns to search for?
>
> Thanks!
> ---
> Mike Kienenberger Arctic Region Supercomputing Center
> Systems Analyst (907) 474-6842
> mkienenb@arsc.edu http://www.arsc.edu
YES, I would also watch the sulog for superuser attempts and failures
since this is a rather high priority access level as well.
--
Troy Billington
SysOp: InfoLine BBS systems
(305) 598-2679 Miami, Fl
"http://www.hutton.net/infoline"
