SourceForge.net: Simple Event Correlator: simple-evcorr-users

Home / Browse / Simple Event Correlator / Mail / Archive

Email Archive: simple-evcorr-users (read-only)

2001:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec (5)
2002:	_Jan (6)	_Feb (14)	_Mar (8)	_Apr (13)	_May (6)	_Jun (24)	_Jul (7)	_Aug (9)	_Sep (20)	_Oct (7)	_Nov (1)	_Dec
2003:	_Jan (10)	_Feb	_Mar (6)	_Apr (12)	_May (12)	_Jun (44)	_Jul (39)	_Aug (10)	_Sep (28)	_Oct (35)	_Nov (66)	_Dec (51)
2004:	_Jan (21)	_Feb (33)	_Mar (32)	_Apr (59)	_May (59)	_Jun (34)	_Jul (6)	_Aug (39)	_Sep (13)	_Oct (13)	_Nov (19)	_Dec (9)
2005:	_Jan (18)	_Feb (36)	_Mar (24)	_Apr (18)	_May (51)	_Jun (34)	_Jul (9)	_Aug (34)	_Sep (52)	_Oct (20)	_Nov (11)	_Dec (12)
2006:	_Jan (20)	_Feb (3)	_Mar (68)	_Apr (41)	_May (11)	_Jun (39)	_Jul (17)	_Aug (34)	_Sep (40)	_Oct (42)	_Nov (25)	_Dec (33)
2007:	_Jan (6)	_Feb (28)	_Mar (32)	_Apr (25)	_May (11)	_Jun (20)	_Jul (8)	_Aug (12)	_Sep (13)	_Oct (42)	_Nov (37)	_Dec (16)
2008:	_Jan (25)	_Feb (1)	_Mar (28)	_Apr (34)	_May (16)	_Jun (23)	_Jul (45)	_Aug (26)	_Sep (5)	_Oct (5)	_Nov (20)	_Dec (39)
2009:	_Jan (14)	_Feb (24)	_Mar (40)	_Apr (47)	_May (11)	_Jun (19)	_Jul (15)	_Aug (13)	_Sep (7)	_Oct (34)	_Nov (27)	_Dec (24)
2010:	_Jan (14)	_Feb (5)	_Mar (16)	_Apr (12)	_May (25)	_Jun (43)	_Jul (13)	_Aug (12)	_Sep (10)	_Oct (40)	_Nov (23)	_Dec (29)
2011:	_Jan (25)	_Feb (7)	_Mar (28)	_Apr (36)	_May (18)	_Jun (26)	_Jul (7)	_Aug (16)	_Sep (21)	_Oct (29)	_Nov (13)	_Dec (36)
2012:	_Jan (26)	_Feb (13)	_Mar (12)	_Apr (13)	_May (12)	_Jun (2)	_Jul (3)	_Aug (15)	_Sep (34)	_Oct (49)	_Nov (25)	_Dec (23)
2013:	_Jan (1)	_Feb (35)	_Mar (32)	_Apr (6)	_May (11)	_Jun (27)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
		1	2	3	4	5

6	7	8	9	10	11	12
	(3)	(4)	(4)	(1)	(1)
13	14	15	16	17	18	19
	(1)	(1)	(3)		(2)
20	21	22	23	24	25	26
		(1)	(1)	(1)
27	28	29	30	31
(3)	(4)	(4)	(6)	(5)

[Simple-evcorr-users] attacks on log analysis tools

From: Chris Petersen <lists@fo...> - 2008-07-15 18:08

A friend of mine (who introduced me to SEC) just sent over a link to a  
rather interesting/disturbing article that details methods of  
attacking log analysis tools like SEC:

http://www.ossec.net/en/attacking-loganalysis.html

I suspect a lot could be fixed by updating the patterns that we use  
(given that SEC has the power of perlre behind id).  It's also a good  
reason to use strict matching and anchoring to the start *and* end of  
log strings.

-Chris