Re: Securityfocus article: Forensic Log Parsing with Microsoft's LogParser

Very nice article indeed. Salutes to Mark.

I'd like to address just one more issue Mark seemed to have skipped - Attacks originating from a dial-up user.

The thing is that dial-up attackers will most likely change there IP from time to time, especially if their attempts last more than a couple of hours.

In this case, upon finding a suspicious ip, you might want to go to www.iana.org or www.ripe.net, and lookup the suspicios ip. This will get you the ISP of the attacker, and its allocated IP range. You can then modify the queries to group by the source ip's netmasked by the ISP range, or select only the ip's of the ISP and find suspicious activity from other IP's belonging to that ISP.

I apologize for not specifying the exact queries as mark did. This is due to the fact that I don't have the logs or tools infront of me. Sorry...

Well, those were my 2 cents,
Ta.

> This may be of interest to this list.

This email was sent using FREE Catholic Online Webmail. http://webmail.catholic.org/ Received on Tue Jul 29 09:30:51 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek