devialog project is a syslog anomaly detection.
Here are some key features of "devialog":
· Is a behavior/anomaly/signature-based syslog intrusion detection system
· Detects new unknown attacks via anomalies in syslog
· Fits comfortably in heterogeneous Unix/Linux/*BSD environments at the core of a central syslog server
· Generates its own signatures
· Can email anomalies with included generated signatures in to administrators to ignore future similar events
Present log-based IDS:
Nearly all present log-based intrusion detection systems operate using a pre-defined known signature base, usually painstakingly created by hand. They can work well if the creator knows exactly all error and informational messages the software on a system(s) will write to syslog. Most overworked administrators wish there was an easier way to handle system logfiles in a sane, time-saving fashion. Present log-based intrusion detection systems have difficulty in detecting new attacks.
How devialog Differs:
devialog makes syslog parsing far less of a chore than it previously has been. It is functionally the inverse of standard log monitoring software. devialog, by default, reports on what is not know in its signature base, i.e. anomalous. This type of intrusion detection system is considered behavior-based, or anomaly detection. Reporting can be in the form of an email for each anomalous log, or an email for all the logs sent within a pre-defined time window. devialog can also execute commands, or simply write all anomalies to a file for periodical review.
For log-based anomaly detection to operate effectively, one must create an extremely large signature base. With an included utility, devialogsig, the signatures are created automatically. Future signature additions are as simple as a cut and paste from the alert email.
Usage: devialog.pl [-OPTIONS [-MORE_OPTIONS]] [--] [PROGRAM_ARG1 ...]
The following single-character options are accepted:
With arguments: -c
Boolean (without arguments): -d -h -v
What's New in This Release:
· Bug fixes include better handling of lines with some special characters.
· A timing error was fixed within alert generation: sometimes alerts would be sent inadvertently based on the timing of a new log arriving as an alert was sent out in specific high-volume log situations.
· Altered signature generation creates more exact regular expressions.