Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 17 Feb 2016 15:39:13 +0000
From: Fiedler Roman <>
To: "" <>
Subject: Feedback and mentoring (reviewer) for logdata-anomaly-miner

Hello List,

We want to share a part of a log-data analysis pipeline tool as open source
Debian package. As we are especially interested in feedback from security
engineers, we want to have it easily to install and remove on common
distributions to lower the barrier for testing.

<?Timesaver: in short, who is interested in package review, mentoring?
Others may stop reading here. ?>

Motivation: Have toolset to allow construction of lightweight and very
flexible processing pipelines for purposes ranging from simple value checks
(e.g. like logcheck on single machine but with data streaming operation (not
batch), O(log(n)) instead of O(n) CPU resources due to tree-shaped parsing
models, mail alerting with exponential backoff, ...) but also to find
atypical sequences of commands (correlation based whitelisting of logdata -
AECID approach) or analyse action sequences in normal operation, that could
be exploited in malicious environments (blacklisting approach, e.g. to fully
automate detection of issues similar to those reported by us last year [1],
[2], [3]). This should all run smoothly with limited resources and limited
risks even on production machines, e.g. to set intelligent probes on those

The package contains the initial standalone version of the distributed
mining component, ported from Java. The idea is to distribute the
security-critical core as reviewed lightweight package to allow simple
update in case security issues were found. Rulesets and configuration
packages for complex scenarios will follow in separate packages. As they do
not contain root-executed code, review requirements are far less strict.

Configuration format of unprivileged analysis pipeline is currently plain
Python. This will be augmented with configuration generators/better
generation format as soon as it becomes clear, if there is a community use
for it and which usecases are most relevant for them. (we use it for
research and have no problem with current semi-automatic config generation
for that purpose).

Is there someone on this list also mentoring for Debian, e.g. on [4] to
review and mentor the code in [5], especially regarding security
implications? Apart from the packaging and standard distribution-related
issues, I would be glad to point to all the problematic spots with security
impact I already known, hopefully to detect all security weaknesses before
publication of the package.

Kind Regards,
Roman Fiedler


PS: See [6] for package description, [7] for intro, manpage attached (nroff
-man AMiner.1)

DI Roman Fiedler
Digital Safety & Security Department
Assistive Healthcare Information Technology

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1 | 8020 Graz | Austria
T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950 |

FN: 115980 i HG Wien  |  UID: ATU14703506

Download attachment "AMiner.1" of type "application/octet-stream" (4018 bytes)

Download attachment "smime.p7s" of type "application/pkcs7-signature" (6344 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.