syslog anomaly detection - devialog, a knowledge/anomaly/signature-based syslog intrusion detection system

devialog - Syslog Anomaly Detection

Main · Quick Start · F.A.Q · Download · GitHub Project Page

Current version: 0.9.0 - if you are running a version earlier than 0.9.0, please upgrade
    devialog...
  • Is a behavior/anomaly/signature-based syslog intrusion detection system
  • Detects new unknown attacks via anomalies in syslog
  • Fits comfortably in heterogeneous Unix/Linux/*BSD environments at the core of a central syslog server
  • Generates its own signatures
  • Can email anomalies with included generated signatures in to administrators to ignore future similar events

Present log-based IDS:

Nearly all present log-based intrusion detection systems operate using a pre-defined known signature base, usually painstakingly created by hand. They can work well if the creator knows exactly all error and informational messages the software on a system(s) will write to syslog. Most overworked administrators wish there was an easier way to handle system logfiles in a sane, time-saving fashion. Present log-based intrusion detection systems have difficulty in detecting new attacks.

How devialog Differs:

devialog makes syslog parsing far less of a chore than it previously has been. It is functionally the inverse of standard log monitoring software. devialog, by default, reports on what is not know in its signature base, i.e. anomalous. This type of intrusion detection system is considered behavior-based, or anomaly detection. Reporting can be in the form of an email for each anomalous log, or an email for all the logs sent within a pre-defined time window. devialog can also execute commands, or simply write all anomalies to a file for periodical review.

Signature Creation:

For log-based anomaly detection to operate effectively, one must create an extremely large signature base. With an included utility, devialogsig, the signatures are created automatically. Future signature additions are as simple as a cut and paste from the alert email.


For any questions/comments, contact the devialog author: Jeff Yestrumskas (OSCP, CISM, CISSP) - jeff@yestrumskas.com
devialog - Copyright 2002-2008 Jeff Yestrumskas