This paper can be freely distributed and reproduced, as long as correct credentials are maintained, and that no modifications are made to this file. For corrections, suggestions or comments, please send me an e-mail.
You can find it online at
http://www.geocities.com/floydian_99
http://securit.iquebec.com
The goal of this paper is to present LogIDS 1.0, a tool made in Perl for analyzing application logs in order to detect illicit activity and prevent intrusion attempts. This is done so by analyzing a variety of log files, one of LogIDS strength being its easy customization and the fact that it tries to be as vendor-independant as possible, even tough it is perfectly suited to work with LogAgent 4.0 for collecting and centralising your logs for LogIDS. For each log file you want to monitor with LogIDS, you get to specify each field value, set rules that triggers on conditions posed on these fields, and the output is displayed in a graphical representation of your network map for easier understanding of the "big picture" when the sky seems to be falling. LogIDS Pro have additional analysing components to facilitate the treatment of logs generated by LogAgent 4.0 Pro (Event Viewer logs included) and ComLog.
When I started to study security approximately 3 years ago, one of the only benefical aspects of my burn-out was that I has plenty of free time to fill, I had set myself as a goal to combine my previous experiences as a NT, OS/2 and Novell administrator and the new knowledge I was acquiring thanks to a humble 33.6 kbps line. This goal was to re-define the networking best-practices in NT-based network, constating that "current industry standards" were not quite up to the task, and still are according to the latest virus and work activity statistics, to mention only that. I achieved this goal during the last year, by providing a good log centralising agent, a command prompt logger, and by writing a paper about how to secure internal, Microsoft-based networks(Securing the Microsoft internal network), paper that I presented recently at the Seguridad en Computo 2003 conference in Mexico City. This paper presents some recommandations of tools that should be deployed on the network, such as antivirus and personal firewalls and strategies to configure them, among other things. As I tried to push my ideas during jobs and jobs interviews, one of the downside of my multi-layer security approach was that this would overwhelm the administrators with logs, and that they would not have the time to parse through it all. That was not considering that LogAgent can also be used as a console to monitor these centralised log files. But I can agree that on large environments, depending on the number of applications reporting their logs and the granularity of the logging, the volume of logs could be so that security incidents could possibly slip through the constant watch of a busy administrator. Which is why I came up with LogIDS 1.0, a tool that I hope will redifine the way we look at intrusion detection.
I would like to thank those who believed in me for providing the support I needed to complete this project. I would also like to thank those who did not believe in me for providing me with a reason to keep working on it.
This document is presented to anyone who has interests in computer security, intrusion detection, antivirus, firewalls, forensics, NT/2K Administration, computer and network monitoring, Perl programming and computing in general.