[794] in Intrusion Detection Systems
Re: searching logs for key phrases
daemon@ATHENA.MIT.EDU (Boyd Johnson)
Thu Dec 5 02:01:22 1996
From: Boyd Johnson <boydj@brooktree.com>
To: Guido.vanRooij@nl.cis.philips.com (Guido van Rooij)
Date: Mon, 2 Dec 1996 11:22:44 -0800 (PST)
Cc: ids@uow.edu.au
In-Reply-To: <199611271302.OAA21450@spooky.lss.cp.philips.com> from "Guido van Rooij" at Nov 27, 96 02:02:14 pm
Reply-To: ids@uow.edu.au
"Previously Guido van Rooij said:"
>
> Mike Kienenberger wrote:
> >
> > VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands
> > EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands
> > " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz comman
ds
> >
> > deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYSLOG
> > fail /usr/adm/*SYSLOG.auth check for failed login
> > attempts (passwords at the login prompt; brute force attacks, etc)
> >
> > Does anyone have other things you look for on a regular basis?
>
> It is in general a bad idea to scan for interesting things. What should
> be done in stead is filter out the non-interesting ones.
>
> -Guido
That is excellent advice, but there is a basic flaw in it. If a line
containing a disguised non-interesting keyword (in a From address, etc)
is filtered out in a line with a red-flag keyword in it you will never
see the line. I don't have a solution other than using both methods
together.
Boyd
--
=Boyd Johnson boydj@brooktree.com Rockwell Corp, Brooktree Div, San Diego, Ca.=
