Network and system administrator should monitor log files for maintaining control over services he/she offers to users. This is a difficult task since it is necessary to completely understand log file format; moreover information on a single transaction is often spread on different lines. Another problem commonly found is represented by data mining operation which should be performed to extract important data from the whole (noise). All above problems are found when dealing with mail servers: we analyzed postfix and sendmail log file and created a tool, log mail analyzer aka LMA, for comprehensive analysis. LMA parses mail-log files, extracts information on each transaction and dumps records using BerkeleyDB or a different DataBase Management System like Mysql. Various type of query, both on BekeleyDB and sql language are supported: through these queries it is possible to adopt an anomaly based approach for intrusion detection purposes. In fact it is well known that viruses and worms propagate also using e-mails. Having a tool for clear understanding and monitoring smtp transaction may help in manager security tasks. LMA is written in Perl for portability reason and is available at http://sourceforge.net/projects/lma/
LMA - Log Mail Analyzer
M Aiello;G Papaleo;D Chiarella
2007
Abstract
Network and system administrator should monitor log files for maintaining control over services he/she offers to users. This is a difficult task since it is necessary to completely understand log file format; moreover information on a single transaction is often spread on different lines. Another problem commonly found is represented by data mining operation which should be performed to extract important data from the whole (noise). All above problems are found when dealing with mail servers: we analyzed postfix and sendmail log file and created a tool, log mail analyzer aka LMA, for comprehensive analysis. LMA parses mail-log files, extracts information on each transaction and dumps records using BerkeleyDB or a different DataBase Management System like Mysql. Various type of query, both on BekeleyDB and sql language are supported: through these queries it is possible to adopt an anomaly based approach for intrusion detection purposes. In fact it is well known that viruses and worms propagate also using e-mails. Having a tool for clear understanding and monitoring smtp transaction may help in manager security tasks. LMA is written in Perl for portability reason and is available at http://sourceforge.net/projects/lma/I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
