[logs] open source artificial ignorance-like systems

Wed Apr 18 08:51:24 PDT 2007

Hi Chris (and rest of the list),

Since no one recommended ossec so far, I will suggest
using it. Note that I am the leader of the ossec
project, so my opinion is just a little bit biased :)

>From all the open source tools mentioned, ossec has
the most flexible options for analysis and correlation
. You can match on atomic events (per log) or on
patterns across a large set of logs. It also has built
in support for "never before seen" events (which we
call FTS), so you can alert on events that were never
seen before (like, first time it sees an IDS event, or
for the first time a user logs in to a box, etc).

Ossec also normalizes the events (using decoders), so
you can write generic rules based on srcips, dstips,
ports, etc (or even like, alert me when it sees
this log from the same source ip more than X times).
In addition to that, different than most tools
mentioned,
the ossec rules are in a tree structure, making 
parsing very fast. It also has decoders and rules
for many log formats by default which you don't get
anywhere else :)

List of rules:
http://www.ossec.net/rules/
http://www.ossec.net/wiki/index.php/Supported-Logs
http://www.ossec.net/en/faq.html#a1.7

Examples of some rules (all in XML):

-Alert on multiple http 40x errors (404, 403, etc)
from the same source ip (apache decoder extracts the
return code as "id" and rule 31100 restricts to only
web logs):

  <rule id="31101" level="5">
    <if_sid>31100</if_sid>
    <id>^4</id>
    <description>400 error code.</description>
  </rule>

   <rule id="31151" level="10" frequency="10"
timeframe="120">
    <if_matched_sid>31101</if_matched_sid>
    <same_source_ip />
    <description>Mutiple 400 error codes
</description>
  </rule>

-Alert on Logins outside business hours:

  <rule id="17101" level="9">
    <if_group>authentication_success</if_group>
    <time>6 pm - 8:30 am</time>
    <description>Sucessful login during non-business
hours.</description>
  </rule>

If you are interested:

http://www.ossec.net

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

--- Chris Buechler <loganalysis at chrisbuechler.com>
escreveu:

> Likely everyone here has read MJR's artificial
> ignorance guide, but just 
> in case you haven't:
>
http://www.ranum.com/security/computer_security/papers/ai/index.html
> 
> What I've spent a lot of time looking for, with no
> success, is an open 
> source system that will implement something similar
> but smarter than a 
> simple grep from cron. What I ideally want is
> something that reads logs 
> in real time, and has a list of "rules", if you
> will, which would be a 
> list of regex's with an action for each. Like always
> ignore xyz.*, 
> ignore abcd.* unless it happens more than X times in
> Y time frame 
> (minutes, hours), etc. and a default alert rule for
> anything that 
> doesn't match any of the previous rules, since it's
> something I'm not 
> expecting.
> 
> Seems pretty simple, but a lot of searching and
> browsing loganalysis.org 
> and similar sites has left me with nothing. I could
> hack together 
> something with standard Unix tools that would meet
> most of these 
> requirements. But I figure as simple and useful as
> this is, somebody has 
> probably already put together an open source package
> that does what I 
> describe, I just can't find it.
> 
> Any suggestions would be appreciated. OS, if it
> matters, could be either 
> FreeBSD or Linux.
> 
> Cheers,
> Chris
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis at loganalysis.org
>
http://www.loganalysis.org/mailman/listinfo/loganalysis
> 

__________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 