[886] in Intrusion Detection Systems
RE: searching logs for key phrases
daemon@ATHENA.MIT.EDU (Friend)
Tue Feb 25 11:16:54 1997
Date: Fri, 21 Feb 1997 11:51:26 +0300 (MSK)
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
From: Friend <friend@vspu.ac.ru>
Reply-To: ids@uow.edu.au
>----------
>From: Guido van Rooij[SMTP:Guido.vanRooij@nl.cis.philips.com]
>Sent: woensdag 27 november 1996 14:02
>To: ids@uow.edu.au
>Subject: Re: searching logs for key phrases
>>Mike Kienenberger wrote:
>>>
>>>VRFY /usr/adm/*SYSLOG.mail check mail logs for VRFY commands
>>>EXPN /usr/adm/*SYSLOG.mail check mail logs for EXPN commands
>>>" command " /usr/adm/*SYSLOG.mail check mail logs for debug/wiz
>>>commands
>>>
>>>deni /usr/adm/*SYSLOG.auth check for denied net cmds
>>>in S
>>YS
>>> LOG
>>> fail /usr/adm/*SYSLOG.auth check for failed login
>>> attempts (passwords
>>> at
>>>
>>> the login prompt; brute force attacks, etc)
>>>
>>> Does anyone have other things you look for on a regular basis?
>>
>>It is in general a bad idea to scan for interesting things. What should
>>be done in stead is filter out the non-interesting ones.
>>
>>-Guido
It depends.... Sometimes you'd like to keep all the logging (e.g., think
of firewalls), so it's easier to filter out interesting ones. What I've
done on my machine (which acts like a firewall and log host for several
other machines... please do not start the discussion that it's a bad
idea mixing the log host and firewall on one machine :-) is generating
new log files nightly (crontab entry) and saving the old ones.
I made a script using awk to find events in the syslog file that might
be interesting. The logic of the scripts is something like:
For each of the machines
find the entries in the syslog file that are generated by the machine
extract interesting events
collect filter rejection messages (as I said, it's also a firewall)
ignore standard events
extract what's left
If anything interesting was found, e-mail me otherwise send confirmation
that script was run.
In /etc/syslog.conf I added the line "*.debug /var/log/debug". Some
events will generate an enry if they happen often enough (such as filter
rejects...).
Arjan Vos
KPMG EDP Auditors
