Threat-Sieve is log analysis tool for security analysts. Its most remarkable feature is its ability to work on any log format which contains IP addresses. There is no need to write adapters or to pre-format log data before feeding it to threat-sieve. And it has a surprisingly-low false-positive rate.
Threat-Sieve requires Ruby 1.8 or greater. Ruby 1.9 is recommend, as this imparts an OoM speed increase.Download Threat-Sieve 1.0 here.
To use threat-sieve, first generate a threat database with the command:
./threat-sieve.rb --update > threats.txtOnce the database is generated, pipe any log file to threat-sieve to have it check for threts by using the command:
cat /var/log/auth.log | ./threat-sieve.rb threats.txtIf a threat is detected, the log entries in question will be displayed, along with labels indicating why they were flagged. For example, the following line indicates an ssh login originating from a host believed to be controlled by a cybercrime group known as the Russian Business Network (RBN):
RBN -> Aug 18 15:06:49 buyvm1 sshd: Accepted password for root from 220.127.116.11 port 45507 ssh2