[logs] open source artificial ignorance-like systems
Kerry Thompson
kerry at crypt.gen.nz
Tue Apr 17 14:12:08 PDT 2007
Chris Buechler said:
> Likely everyone here has read MJR's artificial ignorance guide, but just
> in case you haven't:
> http://www.ranum.com/security/computer_security/papers/ai/index.html
>
> What I've spent a lot of time looking for, with no success, is an open
> source system that will implement something similar but smarter than a
> simple grep from cron. What I ideally want is something that reads logs
> in real time, and has a list of "rules", if you will, which would be a
> list of regex's with an action for each. Like always ignore xyz.*,
> ignore abcd.* unless it happens more than X times in Y time frame
> (minutes, hours), etc. and a default alert rule for anything that
> doesn't match any of the previous rules, since it's something I'm not
> expecting.
>
[snip]
Logsurfer does pretty much what you describe.
http://www.crypt.gen.nz/logsurfer
(disclaimer - I'm a Logsurfer developer)
Kerry
More information about the LogAnalysis
mailing list