Devialog is a behavior/anomaly-based syslog intrusion detection system which detectsattacks via anomalies in syslog.
Present log-based IDS:
Nearly all present log-based intrusion detection systems operate using a pre-defined known signature base, usually painstakingly created by hand. They can work well if the creator knows exactly all error and informational messages the software on a system(s) will write to syslog. Most overworked administrators wish there was an easier way to handle system logfiles in a sane, time-saving fashion. Present log-based intrusion detection systems have difficulty in detecting new attacks.
How devialog Differs:
devialog makes syslog parsing far less of a chore than it previously has been. It is functionally the inverse of standard log monitoring software. devialog, by default, reports on what is not know in its signature base, i.e. anomalous. This type of intrusion detection system is considered behavior-based, or anomaly detection. Reporting can be in the form of an email for each anomalous log, or an email for all the logs sent within a pre-defined time window. devialog can also execute commands, or simply write all anomalies to a file for periodical review.
For log-based anomaly detection to operate effectively, one must create an extremely large signature base. With an included utility, devialogsig, the signatures are created automatically. Future signature additions are ver simple, like a copy from the alert email.