-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
liblognorm is really good for extracting certain types of information from logs (src ip, dst ip, usernames, etc), but I'm not sure it's going to help in this case. Here is my liblognorm page: https://wiki.quadrantsec.com/bin/view/Main/LibLogNorm You might be able to pump the logs into a ELSA or something like that. We wrote a custom Syslog/MySQL/Sphinx engine that we'd use in cases just like this (command line driven). Unfortunately, it's not open source :( You might be better off sticking with grep/awk/sed/cut/etc. Also, Websense will store in a CEF format which should make it easier to extract what you want. On 6/9/13 1:16 AM, Johan Peder Møller wrote: > Have looked at liblognorm. No personal experience, but remeber > having it recomended at some time. > > rgds Johan > > > On Fri, Jun 7, 2013 at 3:36 AM, allison nixon <[email protected] > <mailto:[email protected]>> wrote: > > So I have several gigs of webnonsense logs and I am trying to > construct a timeline of malware infection as it spreads from IP to > IP. I already know what the malicious URLs look like so that's > not the issue. I want to be able to build a timeline of activity > to describe the first moment a computer was infected and I want to > illustrate when the phone home traffic hops from domain to domain. > - -- - - Champ Clark III ([email protected]) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRtL87AAoJENnmXt7Lmc3Kb6oH/AmXGcBKtTdIfCWyqq9Luzsa lPbSWHM1Bj7M8AaA2kVrJWjECJ85UPyPTmMRWu0ZiGzv0lOGGNE55bgqyGfQnY/v uE1X19oed+Z1kI0yLQ7WNNMfOrIEz3VoUH9g6WnMNbuRGWVPrNVdLz1zJ3HcKWNr AD+q9XLmcjM9yL83OaiFXoSWZTaTZM3tOwpQ2rsOgalUZUHN6Fb78PHQHAAFYCVa WAcNxU4ItErSboZpsgchovU4wR6sLamcu4kuuBvhdZma17a67Q3b7+ixazYigUvw e9w1wCQhhYo45Wy9gIB/Rn5aIqPm5O3fV0/xVG6U3yyBAGI25aesCnedPa3JY+k= =sOLA -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
