OsAudit version 0.1 is available for download.
OsAudit is a complete system for log gathering, monitoring and analysis. It has two different running modes: server and client.
In client mode, OsAudit will read the logs and forward them (encrypted) to the server station. In server mode, OsAudit will receive external logs from the clients or from any other device that can send remote syslog messages and analyze them.
OsAudit uses (right now) 3 different methods to analyze the logs...
It begins analyzing the logs against the FTS (first
time seem) database. The FTS is only used for some
specific logs (like sshd connections, su usages, sudo,
snort rules, etc). For example, every time a new user
log in to a system, the FTS will fire.
It will cause some false positives in the beginning,
but after one or two days it will become very usefull
to detect a lot of possible intrusions. The same thing
to snort logs. Most false positives messages will stop
after a few hours and only "new" problems (probably
not false-positives) will be notified.
After the FTS analysis, OsAudit will analyze the logs
against the generated statistics. If for example,
during the Sundays the average number of logs received
between 9pm and 10pm is 500, and during one day it
receive 600, an alert will be generated. OsAudit will
analyze the logs against the average logs for the hour
and for the hour/weekday combination.
The last step in the analysis in the rule matching.
All OsAudit rules are in the XML format and are very
easy to manage. We have more than 60 different rules
matching many common problems. The currently rules can
be viewed in the etc/rules directory.
OsAudit right now can perfectly read and analyze the
following logs: syslog, snort-full, snort-fast,
barnyard dump_log, apache err log and any other log
file that looks like syslog (or are well formated)
Read this full article at Daniel Cid
Only registered users can write comments.
Please login or register. Powered by AkoComment! |
