Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser

["M. Burnett" <mb () xato net>]

Excellent point. Unfortunately there were a lot of things 
I wanted to cover but couldn't in the article. For 
example, what if several people are sitting in a chat 
room, coordinating the attack from several different 
locations? Or what if someone uses a tool to randomly use 
different proxy servers? The purpose of the article was to 
get people thinking about the possibilities of using the 
tool to get the bigger picture and looking at the data 
many different ways. There is a lot more information in 
the logs that many people overlook.

Mark



On Tue, 29 Jul 2003 07:55:10 -0000 (GMT)
 <oded () catholic org> wrote:
> Very nice article indeed. Salutes to Mark.
>
> I'd like to address just one more issue Mark seemed to 
> have skipped -
> Attacks originating from a dial-up user.
>
> The thing is that dial-up attackers will most likely 
> change there IP from
> time to time, especially if their attempts last more than 
> a couple of
> hours.
>
> In this case, upon finding a suspicious ip, you might 
> want to go to
> www.iana.org or www.ripe.net, and lookup the suspicios 
> ip. This will get
> you the ISP of the attacker, and its allocated IP range.
> You can then modify the queries to group by the source 
> ip's netmasked by
> the ISP range, or select only the ip's of the ISP and 
> find suspicious
> activity from other IP's belonging to that ISP.
>
> I apologize for not specifying the exact queries as mark 
> did. This is due
> to the fact that I don't have the logs or tools infront 
> of me. Sorry...
>
>
> Well, those were my 2 cents,
> Ta.
>
> > This may be of interest to this list.
> >
> > http://securityfocus.com/infocus/1712
> >
> >
> > Robert Auger
> > SPI Labs
>
>
>
> -----------------------------------------
>
> This email was sent using FREE Catholic Online Webmail.
> http://webmail.catholic.org/