Few questions on log analysis

Hi all,

I'm currently writing my degree dissertation on logfile
analysis. I 
was glad to find this list discussing this issue by
professionals. 
Unfortunately I wasn't able to find much useful information
about 
logfile analysis itself, neither in the internet nor in
books or 
scientific papers. The books I found (e.g. Babbin et al:
Security Log 
Management) weren't very useful. Thus I contacting you to
get some 
answers:
Do you know any book, paper, link etc. where attack
signatures in log 
files are described?
Do you know any resource where log-entries are described
and/or 
classified?
Which books, papers etc. can you recommend about logfile
analysis?

Thanks in advance,
Kai
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis

Hello Kai and all,

> Do you know any resource where log-entries are
described and/or
> classified?
There is really nothing of exactly that type of resource.
Just look
thru the list archives; some pointers off the top of my
head:
1. http://www.loganalysis.org

2. http:
//www.ossec.net/wiki/index.php/Log_Samples
3. SANS reading room
4. Tina Bird Syslog Attack Signatures (google for it; I saw
it somewhere)

> scientific papers. The books I found (e.g. Babbin et
al: Security Log
> Management) weren't very useful. Thus I contacting you
to get some
Yeah, this book is genuinely bad; one of the few books on
security
that I found truly useless for just about any purpose, apart
from
removing some "extraneous" trees from the
surface of the planet.

Best,
-- 
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
 http://chuvakin.blogspot
.com
http://www.securitywar
rior.com
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis

Hi Kai,


--- Kai Michael Hoever <kaikai4all.de> escreveu:

> Hi all,
> 
> I'm currently writing my degree dissertation on
> logfile analysis. I 
> was glad to find this list discussing this issue by
> professionals. 
> Unfortunately I wasn't able to find much useful
> information about 
> logfile analysis itself, neither in the internet nor
> in books or 
> scientific papers. The books I found (e.g. Babbin et
> al: Security Log 
> Management) weren't very useful. Thus I contacting
> you to get some 
> answers:
> Do you know any book, paper, link etc. where attack
> signatures in log 
> files are described?


In the ossec web site we have some examples of attack
signatures found in log files. It is not very
complete,
but with have examples of sucessful and failed
attempts
for multiple applications (from ftpd, sshd, etc),
examples of web attacks, traces of vulnerability
scans,
etc.

http:
//www.ossec.net/wiki/index.php/Log_Samples


You can also look at the ossec signatures for examples
of patterns and how we classify them (in categories
and
by severity):

http://www.ossec.net/rule
s/


> Do you know any resource where log-entries are
> described and/or 
> classified?
> Which books, papers etc. can you recommend about
> logfile analysis?


I wrote some time ago a paper about *"log analysis for
intrusion detection", that can help:

http://www.o
ssec.net/en/loganalysis.html

*Note, that I am updating it with more ideas,
including mail log analysis, ids+firewall logs
correlation, etc.


Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net


	



	
		
_______________________________________________________ 
Você quer respostas para suas perguntas? Ou você sabe muito
e quer compartilhar seu conhecimento? Experimente o Yahoo!
Respostas !
http://br.answers.yahoo.
com/
_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis