Home page logo
/

basics logo Security Basics mailing list archives

Re: No Budget Static Log Analysis
From: Champ Clark III <cclark () quadrantsec com>
Date: Wed, 25 Jul 2012 19:24:53 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/25/12 3:34 PM, Stephen Mullins wrote:
List,

I am involved in a project that performs analysis of a static set
of logs provided in ASCII/plain text format looking for signs of 
malicious activity using lists of known "indicators" (IP
addresses, domain names, user agent strings, etc.).  The logs can
be from any number of devices (firewalls, web proxies, DNS servers,
etc.) and can be formatted/delimited in whatever format is native
to the device that generated the logs.  The smallest set of data
received thus far was 200 gigabytes and the largest 2.3 terabytes.


Check out "Sagan" (http://sagan.quadrantsec.com).  It's a "Snort like"
log analysis engine that's fast,  easy to create rules for and does
correlation with your Snort IDS/IPS (if you use any).  It can work
with any security console (Snorby, Sguil, etc).  Oh yeah,  it's also
GPLv2.

I recent gave a talk about Sagan at HOPE9.  That video can be found at:

http://www.youtube.com/watch?v=pMlAmteCjQo

Hope this helps.

- -- 
- - Champ Clark III (cclark () quadrantsec com)
  Quadrant Information Security (http://quadrantsec.com)
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQEIBFAAoJENnmXt7Lmc3KH3cH/00/CfSsYhMv+KkwoL/8wUgc
/SgH0ompcrJE44v7DbW7pxQJwWRtBrb5mZLYO7X2oHM0dWDXvOoJmphf4plz4YCP
YAYY9ay8NaRrkSLiNpwyxr8S6bZ2S8gJtfXC6EWKJkPDsfVeqF99rW5VIIYGTC+g
uiXz4OjOfQmeFk54pgbv5I6I//3n16JZTHAm8JbVKZkwdmXjb77AFJUKI9oqvIaq
0SZrZskVQn2abmOJciWSbzgeuh4UnEyOoT57iQL2jQDouD+sCtLGPJ5JeO19da/d
kgb8FxFwLtlyTAJ1oYGc2HyoZTezYMhDgB4bwGyZ1RWHroiiIIPzTYLxkjACnWI=
=KkdY
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]