A friend of mine (who introduced me to SEC) just sent over a link to a rather interesting/disturbing article that details methods of attacking log analysis tools like SEC:
http://www.ossec.net/en/attacking-loganalysis.html I suspect a lot could be fixed by updating the patterns that we use (given that SEC has the power of perlre behind id). It's also a good reason to use strict matching and anchoring to the start *and* end of log strings. -Chris ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
