[Dshield] httpd logs

Tomas L. Byrnes tomb at byrneit.net
Mon Jun 18 19:51:26 GMT 2007

This was something that Marc, Johannes and I discussed @ SANS Vegas.
Ideally, what you want to do is cross-correlate the firewall flow
information with 404s, 500s etc. Taking the output of modsecurity logs,
pulling them in like DShield does, and generating a threat feed from it
is also something we have been thinking about.

Marc calls it: "We saw this, did it hurt?"

The big issue is that HTTP logs are so much larger than firewall logs,
so the parsing is orders of magnitude more difficult. There are entire
companies, like webtrends and websidestory, that do nothing but parse
weblogs for people. If we had something like the DShield parsers for
weblogs, that would strip out all except the errors and the source IP,
then maybe it would be manageable.

It's something that is on the horizon and that ThreatSTOP is working on
ideas as to how we can help extend the DShield framework in this
direction. Any an all ideas are welcome, either on-list, or to

Tom Byrnes
DISS, Inc./threatSTOP
VOX 760.798.9517
PCS 760.402.3999
Text Message: 7604023999 at messaging.sprintpcs.com
e-mail: tomb at threatstop.com

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Rick Leir
> Sent: Monday, June 18, 2007 12:14 PM
> To: list at lists.dshield.org
> Subject: [Dshield] httpd logs
> How about monitoring http attack attempts, which generally 
> show up in /var/log/httpd/error_log?
> This has probably been discussed before, but my searches of 
> the archive were not helpful.
> Better still, application level attack attempts seen by IPS's.
> cheers -- Rick
> _________________________________________
> SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 
> courses, SANS top instructors, and a great tools and 
> solutions expo. Register today!
> http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list