LogHound is a tool that was designed for finding frequent patterns from event log data sets with the help of a breadth-first frequent itemset mining algorithm.

LogHound is a tool that was designed for finding frequent patterns from event log data sets with the help of a breadth-first frequent itemset mining algorithm.

Operating System: Uníx/Linux

Licence: GNU GPL

Application: Mining frequent patterns from event log data

Home page: http://kodu.neti.ee/~risto/loghound/

Quick start:. Let us assume there running an IDS f.e. Snort at your network. Your task is to inspect the Snort alert logfile refering to common attacking methods. For this you need a tool which does the work for you and output your log entries to according rules. Loghound which you can download from http://kodu.neti.ee/~risto/loghound/loghound-0.01.tar.gz is such a kind of tool.

After download you should create a new folder where you can unpack the loghound archive.

At next you can generate the tool through the following command.

gcc -o loghound loghound.c.

To look for common attacks we decide to run loghound with the help of its event mining mode. For this filter your event types and order them according to the following example.

WEB-PHP_REMOTE_INCLUDE_PATH

TCP_PORTSCAN UDP_PORTSCAN

WEB-PHP_REMOTE_INCLUDE_PATH

It should be noticed that this event types refer to a single destination IP.

Additional to the nature of the event mining mode you should clarify that each word (item) in a line (transaction) is unique. After you have arranged your event types you can start loghound as follow.

./loghound our_alert.log –s 1 –g

During his mining process, loghound will show you various informations about his working steps. The most important step for you is the output of the frequent item sets. E.g.

• (UDP_PORTSCAN) TCP_PORTSCAN

  Support: 1

• WEB-PHP_REMOTE_INCLUDE_PATH

  Support: 2

• UDP_PORTSCAN

  Support: 1

A d v e r t i s e m e n t

sum:

0 €