-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually thinking about this liblognorm might be useful. It comes with a program call "normalizer". You'll need to create the rulebase files/rules. That'll be the tricky part.
If you do create good rulebase/rules, let me know. I'd like to have a copy :) On 6/9/13 1:16 AM, Johan Peder Møller wrote: > Have looked at liblognorm. No personal experience, but remeber > having it recomended at some time. > > rgds Johan > > > On Fri, Jun 7, 2013 at 3:36 AM, allison nixon <[email protected] > <mailto:[email protected]>> wrote: > > So I have several gigs of webnonsense logs and I am trying to > construct a timeline of malware infection as it spreads from IP to > IP. I already know what the malicious URLs look like so that's > not the issue. I want to be able to build a timeline of activity > to describe the first moment a computer was infected and I want to > illustrate when the phone home traffic hops from domain to domain. > > I can sort of do it with some artful use of grep and excel, but > it's hard to make that scale to more than a small sample of the > logs. I fed it to a trial copy of Splunk and it exploded while > giving me nothing useful. Are there any tools out there that I can > use for this? I don't want to pay money for it because it's a > one-off, but so far nothing can compete with good ol grep > > _______________________________________________ Pauldotcom mailing > list [email protected] > <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main > Web Site: http://pauldotcom.com > > > > > _______________________________________________ Pauldotcom mailing > list [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main > Web Site: http://pauldotcom.com > - -- - - Champ Clark III ([email protected]) Quadrant Information Security (http://quadrantsec.com) Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A GPG Key ID: 0381878A -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRtMRGAAoJENnmXt7Lmc3KiJgH/A42nLvCPYqs4y3ULZrj3rLz WUgdNJ9UjM7eeZt1qdiA4Jx7h51Y0opco+bMwcqoIiccDxqOjqRxf3FxqMyOKCT6 +/nQDRu132mtfkw5vXLtNt2eZaAu28pRU72XkuoGMn9D6B1d/9pheLYtsz7AnfcL Zf0ZXeE5oPBFF73/BsVuzsIbE2Ia2a6G5pS/H77vYmxQXb7Dp/BoQl/hUoxAzyoH 8EnwzueRraWoZBetZb+o5auoaa0MVYY3NffEPNybXzaxfpTFgMs90RJo8Up3dqQN ksYxIhqXe4EF1I5eCvV4ugjE1FRvKP9pqTawDSQVjnT7RjzFjsUhUMZPwBMDnM0= =Uw5n -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
