WebApp Sec mailing list archives
Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser
From: <oded () catholic org>
Date: Tue, 29 Jul 2003 07:55:10 -0000 (GMT)
Very nice article indeed. Salutes to Mark. I'd like to address just one more issue Mark seemed to have skipped - Attacks originating from a dial-up user. The thing is that dial-up attackers will most likely change there IP from time to time, especially if their attempts last more than a couple of hours. In this case, upon finding a suspicious ip, you might want to go to www.iana.org or www.ripe.net, and lookup the suspicios ip. This will get you the ISP of the attacker, and its allocated IP range. You can then modify the queries to group by the source ip's netmasked by the ISP range, or select only the ip's of the ISP and find suspicious activity from other IP's belonging to that ISP. I apologize for not specifying the exact queries as mark did. This is due to the fact that I don't have the logs or tools infront of me. Sorry... Well, those were my 2 cents, Ta.
This may be of interest to this list. http://securityfocus.com/infocus/1712 Robert Auger SPI Labs
----------------------------------------- This email was sent using FREE Catholic Online Webmail. http://webmail.catholic.org/
Current thread:
- Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser oded (Jul 29)
- Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser M. Burnett (Jul 29)