WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser

From: <oded () catholic org>
Date: Tue, 29 Jul 2003 07:55:10 -0000 (GMT)
Very nice article indeed. Salutes to Mark.

I'd like to address just one more issue Mark seemed to have skipped -
Attacks originating from a dial-up user.

The thing is that dial-up attackers will most likely change there IP from
time to time, especially if their attempts last more than a couple of
hours.

In this case, upon finding a suspicious ip, you might want to go to
www.iana.org or www.ripe.net, and lookup the suspicios ip. This will get
you the ISP of the attacker, and its allocated IP range.
You can then modify the queries to group by the source ip's netmasked by
the ISP range, or select only the ip's of the ISP and find suspicious
activity from other IP's belonging to that ISP.

I apologize for not specifying the exact queries as mark did. This is due
to the fact that I don't have the logs or tools infront of me. Sorry...


Well, those were my 2 cents,
Ta.


This may be of interest to this list.

http://securityfocus.com/infocus/1712


Robert Auger
SPI Labs




-----------------------------------------

This email was sent using FREE Catholic Online Webmail.
http://webmail.catholic.org/
Previous By Date Next
Previous By Thread Next

Current thread: