IDS logsurfer Rules
Results 1 to 8 of 8

Thread: IDS logsurfer Rules

  1. #1
    Member
    Join Date
    Mar 2003
    Posts
    55

    Unhappy IDS logsurfer Rules

    I Have setup an ids system and am getting lots of information in the logs and was wondering does any one know where i can get a premade rule file for logsurfer as i am having difficulty in writing one from scratch

    Thanks

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    cytex: I'm not familiar with logsurfer but would assume that if it doesn't come with some pre-made rulesets then it is either:

    1. Not very good, or
    2. for very advanced users

    I would suggest using a Snort based IDS. It's free, comes with predefined and regularly updated rules and it is considered the best all around. If you want a really easy to install, same cost for personal use, rulesets included and "pretty" interface with some other features thrown in I would suggest Demarc's PureSecure. I use it and really like the interface and the back end is Snort.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Member
    Join Date
    Mar 2003
    Posts
    55
    Thanxs tiger shark for the reply logsurfer goes through syslog and takes out the logs that you want to keep it is the only program that i have seen recomended on the internet that does this i have snort running also. so so you know of another program that does this r does any body have a rule file that they would let me look at

    Thanxs

    Cytex

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I run my Snort into Kiwi's Syslog Daemon too..... Along with my firewall and my eventlogs.... It works very nicely.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Member
    Join Date
    Mar 2003
    Posts
    55
    And does presecure go through the syslogs to find out mallicious/interesting log entries r how do you do this

  6. #6
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    cytex,
    CERT says:

    Logsurfer
    Due to the limited possibilities of swatch (especially the limitation on single lines and the missing possibility to parse substrings of the message as arguments to external programs) the logsurfer program was developed. Just to list some of the important things:

    Works on any textfile (or text from standard input)
    Matching of lines is done by two regular expression (logline must match the first expression but must not match the optional second regular expression). So you are able to specify exceptions.
    Uses contexts (collection of messages) instead single lines
    Flexible but easy configuration
    Timeouts and resource limits included
    Handles "shifting" of logfiles (just send a -HUP signal to close and reopen the logfile after you have moved the old one to another place and created a new one)
    Dynamic rules can change the actions associated with logmessages (something might happen that makes you interested in messages you would usually drop)
    Multiple reactions on one logline possible
    Portable written C-code (uses GNU regex library and autoconfigure)
    ...
    hreby a configuration example (comment in french sorry!!!)

    Code:
    # on realise ici un comptage des machines et des ports essayes a partir du fichier produit
    # par Logsurfer (scan02.conf).
    # pour chaque ligne de contenu d'un contexte (du type list...) on effectue quelques operations.
    # lorsqu'on voit ----- ou la fin, on affiche les informations si NB (fourni en parametre) est depasse. 
    BEGIN { commence = 0; }
    
    /CONTEXT/{ commence = 1; # a partir des contextes, on commence le comptage }
    
    /-----/{ ligne = 0; # on remet le compteur a zero
    if (oldligne>NB+0) # ne marche pas sans le +0 ???
    {if (type == 1) print jour,mois,heure,": tentative",proto,"de",source[1],"sur",dest[1],"(",oldligne,"ports )";
    if (type == 2) print jour,mois,heure,": tentative",proto,"de",source[1],"sur le port",port[1],"(",oldligne,"machines )" } }
    
    /list.*denied udp/{ if (commence == 0) next; # si on n'est pas dans les contextes, on saute;
    oldligne = ligne; # on memorise le nombre de ligne;
    olddest = dest[1]; # on memorise la machine;
    oldport = port[1]; # on memorise le port;
    ligne=ligne+1; # on ajoute une ligne;
    mois = $3; jour = $4; heure= $5; s=$13;d=$15; # recuperation des infos source et destination;
    split(s,source,"("); # on a la machine source dans source[1];
    split(d,dest,"("); # recuperation machine dans dest[1];
    split(dest[2],port,")"); # recuperation port dans port[1];
    if (olddest == dest[1]) type=1; # la machine est la meme -> scan des ports;
    if (oldport == port[1]) type=2; # le port est le meme -> scan des machines;
    proto = "udp "; # pour savoir le type du protocole utilise;
    break; # on passe a la ligne suivante; } 
    
    /list.*denied tcp/{ if (commence == 0) next; # idem udp;
    oldligne = ligne;
    olddest = dest[1];
    oldport = port[1];
    ligne=ligne+1;
    mois = $3; jour = $4; heure= $5; s=$13;d=$15;
    split(s,source,"(");
    split(d,dest,"(");
    split(dest[2],port,")");
    if (olddest == dest[1]) type=1;
    if (oldport == port[1]) type=2;
    proto = "tcp ";
    break; } 
    
    /list.*denied icmp/{ if (commence == 0) next; # idem udp;
    oldligne = ligne;
    olddest = dest[1];
    oldport = port[1];
    ligne=ligne+1;
    source[1]=$13; mois = $3; jour = $4; heure= $5;
    type = 2;
    port[1] = "---";
    proto = "icmp";
    break; }
    
    END { if (oldligne>NB+0) # meme action pour la derniere ligne
    { if (type == 1) print jour,mois,heure,": tentative",proto,"de",source[1],"sur",dest[1],"(",oldligne,"ports )";
    if (type == 2) print jour,mois,heure,": tentative",proto,"de",source[1],"sur le port",port[1],"(",oldligne,"machines )" } }
    [shadow] SHARING KNOWLEDGE[/shadow]

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    cytex: Puresecure does not look at the logs. I use several PureSecure installs to provide both NIDS and HIDS and report back to a central MySQL db and use that for a real-time view of alerts. I also have secondary Snort installs that dump the same data to the syslog. This way I have a permanent text record of occurences and a real-time view right next to my workstation.

    My system is as follows:-

    I dump both firewalls logs, 2 publicly available fileserver's event logs and 8 Active directory server's eventlogs, an internal and external Snort log and now, (due to Ichnisan), 5 IIS web logs into a daily syslog using Kiwi's syslog daemon to a secured log server, (amongst other places - there are a lot of resources to search if you want to find the several copies of my logs to erase your activity...... ). I then have a single, consolidated file that shows all the activity in and out of my networks. I use LineStrip v 1.5 to strip away all the lines of text I am not interested in to a new file. In this way I can search for all the activity from IP xxx.xxx.xxx.xxx for the day and it will appear in a new file with just that info in it. If need be I can combine a month or so's logs into one and carry out the same search to show me the "big picture". In this way I discovered recently, (from a little suspicious traffic on one day that snort happened to pick up), that there is a gentleman using boxes in Texas who is very carefully footprinting my network. Under my old system of 20 or more logs I would probably never have noticed him.

    I also, for good measure, write the logs to CD on a regular basis. Using this system I pull about 40Mb/day of text. LineStrip can pull the data I am interested in from a file that size in less than 30 seconds on a PIII 1.2Gb/256Mb machine which is very nice. My old system was a database I wrote that I had to convert and import all the different logs in daily before I could start looking - that process took me 2-4 hours a day...... Now I'm done in less than an hour usually.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Member
    Join Date
    Mar 2003
    Posts
    55
    Thanxs guys this has been a big help i managed to get the french comments translated in google if any one else out there has any programs that can automated the revewing of logs can you please post links to it. thanx again and im glad that my first post has yielded this much info

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •