SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL Server as an IDS Tool


SQL Server as an IDS Tool

Author
Message
Yaroslav Pentsarskyy-353753
Yaroslav Pentsarskyy-353753
SSC-Enthusiastic
SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)

Group: General Forum Members
Points: 141 Visits: 3
Comments posted to this topic are about the content posted at temp


Regards,

Yaroslav

Paul Smith-221741
Paul Smith-221741
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1050 Visits: 334

Welcome to the magical world that is SQL Server

As A Newbie you have managed to master the DB Engine and SSIS in a very short time to come up with (IMHO) quite a useful tool.

I would take a look at some other posts around this site dealing with Log File processing e.g. IIS Logs. That might give you a pointer into using SSAS to produce analisable data cubes.

Keep up the good work

Paul


Tim Cullen
Tim Cullen
SSC Eights!
SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)SSC Eights! (904 reputation)

Group: General Forum Members
Points: 904 Visits: 218
I am glad to see you used SQL in such a useful way. I use DTS packages to pull information from each of our syslog servers into a database each night. So you are certainly on the right track...and I agree that you have made great progress in a short amount of time. Maybe stage 2 will be to incorporate Reporting Services in the mix (if you haven't already thought of that and didn't see it in the article). Keep up the innovative thinking!!!



Stephanie J Brown
Stephanie J Brown
SSCommitted
SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)SSCommitted (1.7K reputation)

Group: General Forum Members
Points: 1734 Visits: 1103
A very clear article - makes me (a newbie also) want to run out and try it - if only I had SQL 2005 installed on my home machine! I'm dying to know what kind of grade you get on this project.


Here there be dragons...,

Steph Brown
Yaroslav Pentsarskyy-353753
Yaroslav Pentsarskyy-353753
SSC-Enthusiastic
SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)SSC-Enthusiastic (141 reputation)

Group: General Forum Members
Points: 141 Visits: 3

Thanks for all your posts so far, it was really excited reading them all. When I finished my project and this article I started thinking of many other ways I could use SQL server to automate the analysis. It's amazing how can SQL be such an extensible solution - you can literally stretch it with no limits. Due to the time limit on the project I didn't implement Reporting Service or any other nice and universal way to analyze data; but in a real environment and with real requirements things can get even more exciting.

Grade for the project was 92% . Having IDS logs as the only artifact of the break in was pretty harsh challenge. Imagine millions of records and every record indicates malicious activity. The real problem was that 90% of those are false positives and the rest 10% needs to be nicely aggregated before it starts making sense. The last stage was to reconstruct steps of an attacker.




Regards,

Yaroslav

Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search