You might want to look into Sagan (Sagan is a security based log event
analyzer). That's at http://sagan.quadrantsec.com. It's an open
source solution that "pulls" those security related events out of
logs. Even if you decided you don't want to use Sagan, you might
want to check out the Sagan rule sets. They have a lot of these
types of text strings you probably want to look for. Since Sagan
rules are very similar to "Snort" rules, they are very easy to
understand (they don't look like PCRE/line noise :).
Hope this helps.
On 4/7/12 7:43 PM, peenacolada69 (at) yahoo (dot) com [email concealed] wrote:
> I have some Linux servers. I have set up auditd and Snare on
> them, in order to capture security-related log entries occurring on
> these servers. (As a starting point, I am using Snare's
> pre-configured settings for Payment Card Industry, in order to
> quickly start capturing some security-related log entries).
>
> This generates > 100,000 log entries per day from each server. I
> will likely store most of these log entries, in case one day a
> forensic investigation needs to be performed.
>
> Now I need to find the "important" security-related events in these
> logs. The stuff I would want to know about sooner rather than
> later. Things like the auditing configuration being changed, a new
> user being added, software installation, etc.
>
> My question is, what log entries/text strings is everyone else out
> there searching for?
>
> I am looking for specifics. For example, when a user is added,
> what are those one or two relevant strings to search for out of the
> hundreds or thousands of log entries created? What are the strings
> you "grep" your Linux auditd/Snare logs for? (Not the syslogs;
> auditd has different info than the syslogs).
>
> TIA
>
> Ely
>
> ------------------------------------------------------------------------
>
>
Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>
>
- ------------------------------------------------------------------------
>
- --
- - Champ Clark III (cclark (at) quadrantsec (dot) com [email concealed])
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
Hash: SHA1
A couple of things:
You might want to look into Sagan (Sagan is a security based log event
analyzer). That's at http://sagan.quadrantsec.com. It's an open
source solution that "pulls" those security related events out of
logs. Even if you decided you don't want to use Sagan, you might
want to check out the Sagan rule sets. They have a lot of these
types of text strings you probably want to look for. Since Sagan
rules are very similar to "Snort" rules, they are very easy to
understand (they don't look like PCRE/line noise :).
Hope this helps.
On 4/7/12 7:43 PM, peenacolada69 (at) yahoo (dot) com [email concealed] wrote:
> I have some Linux servers. I have set up auditd and Snare on
> them, in order to capture security-related log entries occurring on
> these servers. (As a starting point, I am using Snare's
> pre-configured settings for Payment Card Industry, in order to
> quickly start capturing some security-related log entries).
>
> This generates > 100,000 log entries per day from each server. I
> will likely store most of these log entries, in case one day a
> forensic investigation needs to be performed.
>
> Now I need to find the "important" security-related events in these
> logs. The stuff I would want to know about sooner rather than
> later. Things like the auditing configuration being changed, a new
> user being added, software installation, etc.
>
> My question is, what log entries/text strings is everyone else out
> there searching for?
>
> I am looking for specifics. For example, when a user is added,
> what are those one or two relevant strings to search for out of the
> hundreds or thousands of log entries created? What are the strings
> you "grep" your Linux auditd/Snare logs for? (Not the syslogs;
> auditd has different info than the syslogs).
>
> TIA
>
> Ely
>
> ------------------------------------------------------------------------
>
>
Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
>
>
- ------------------------------------------------------------------------
>
- --
- - Champ Clark III (cclark (at) quadrantsec (dot) com [email concealed])
Quadrant Information Security (http://quadrantsec.com)
Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
GPG Key ID: 0381878A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPg06wAAoJENnmXt7Lmc3KOAsIAJS5n0x+bII22UhJ21RVTD7C
+3TwXa2oeqadbZk69aH8tTGmutobqAH3Iv91A+Ra/R7+KDfZB+tLgBqmlpV5qV/L
s+hT9kVp6BGwrBRxU6ANK1cBhI8tLtd/9/Q3wnVmi1FoIGv7vQhtAvqoBx+Bcv+m
RsQ/3byANo5WUO8mJzRRCgRyANt2yKdJLQ1T29D2zIlcgh1U00jog20qs3CEA63n
RYUpzY9iuZhWrL+/oV38o/Murg2L+9WUpRQ+L0r8SJDpBdRfsTQAC/jPnTJebNOc
MDS+aqSjNxBIbTbICDvQJGDswPs0/DlZiM25XIx67WX1mUAPK1yGxD5uk6U6RMI=
=yfMS
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]