Thursday, February 14, 2008

Fun Paper: "Logs vs Web Hacking"

Now, I swear I was thinking of writing exactly the paper like this for a long time, but never found time to do it. I am soooo happy somebody else did it!

So, enjoy "Detecting Attacks on Web Applications from Log Files" in SANS Reading Room: logs vs OWASP Top 10 web attacks - the battle of the century - who will win (bet on logs! :-))?

One thing I miss in the paper is that all suggested approaches are rule-based, not anomaly- or profiling-based. Regexes suck! :-)

6 comments:

Anonymous said...

Some problems with this that are at least partly discussed in Log Injection Attack and Defence...
http://www.sift.com.au/assets/downloads/SIFT-Log-Injection-Intelligence-Report-v1-00.pdf

Anton Chuvakin said...

Oh,yeah. That is a good "counter-logging" paper indeed; I saw it before.

Anonymous said...

thank goodness YOU didn't write the paper. this paper was very clear and concise.

Anton Chuvakin said...

Thanks for the comment - indeed, my writing has gotten a little more "rambling" (I suspect spending too much time near management did that);

I have to write something real technical, real quick :-)

Anonymous said...

I agree too. You're over-due for some thing really technical and a little more serious. :-)

Anton Chuvakin said...

OMG, I have to stop writing that GRC paper ASAP and go back to fixing bugs in my ugly Perl code to do log text mining :-)

Dr Anton Chuvakin