[795] in Intrusion Detection Systems
Re: searching logs for key phrases
daemon@ATHENA.MIT.EDU (Kingsford, Bryan)
Thu Dec 5 02:05:08 1996
Date: Wed, 04 Dec 96 14:33:00 MDT
From: "Kingsford, Bryan" <brykin@CCGATE-UT.AXENT.COM>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Scanning for specific patterns and filtering out noise to find new
attack patterns should both be used together.
Once an attack signature is identified, it is useful to create a rule
that will identify such an attack in the future and deal with it
appropriately.
For attacks you haven't seen before it is critical to filter out
normal activity to detect the attack.
Bryan Kingsford
Omniguard/Intruder Alert Project Manager
AXENT Technologies, Inc.
brykin@axent.com
______________________________ Forward Header __________________________________
Subject: Re: searching logs for key phrases
Author: Guido van Rooij <Guido.vanRooij@nl.cis.philips.com> at ccgate-ut
Date: 12/1/96 8:03 PM
Mike Kienenberger wrote:
>
> VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands
> EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands
> " command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz commands
>
> deni /usr/adm/*SYSLOG.auth check for denied net cmds in SYS
> LOG
> fail /usr/adm/*SYSLOG.auth check for failed login
> attempts (passwords
> at
> the login prompt; brute force attacks, etc)
>
> Does anyone have other things you look for on a regular basis?
It is in general a bad idea to scan for interesting things. What should
be done in stead is filter out the non-interesting ones.
-Guido
