Simple Event Correlator - SEC: talks and other stuff
Real-time log file analysis using the Simple Event Correlator (SEC)I had to cut quite a bit of material from the paper before it was published due to self imposed deadlines. I have pdf (adobe acrobat format) files of the published paper and the full (author's cut) of the paper here. The published and full versions of the paper in postscript format are also available. The citation that I use for the published paper is:
Rouillard, John P. "Real-time Logfile Analysis Using the Simple Event Correlator (SEC)", 18th USENIX System Administration Conference (LISA '04) Proceedings, November 2004, pp 133-149.For the full version of the paper, I guess the web link would work:
Rouillard, John P. "Real-time Logfile Analysis Using the Simple Event Correlator (SEC)", web publication: http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdfThe slides and my notes used for the talk are also available in pdf and postscript formats. Not all the rules files mentioned in the paper are ready for publication. I apologize for that but the hurricanes in Florida where I reside have left me with little time to complete the annotations for the rules. Also technical difficulties have resulted in my being unable to sufficiently test a few rulesets that I want to publish. You can see some of the the rulesets (including the sshd ruleset) seperated out (as described in the performance section of the paper) at: http://www.cs.umb.edu/~rouilj/sec/rulesets/ . The speed test scripts that were used for some of the performance data described in the full paper is in the speed_test_tools.tgz tarball available here. There is no documentation on this at the moment, but it may be useful nonetheless.