[750] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Richard Game)
Wed Nov 20 04:17:24 1996
Date: Thu, 14 Nov 1996 12:15:31 GMT
To: ids@uow.edu.au
From: Richard Game <richard.game@zetnet.co.uk>
Reply-To: ids@uow.edu.au
In message <199610111559.LAA05348@dirham.fincen.gov>
meritj@fincen.treas.gov (Jim Meritt) writes:
> I find the discussion on various tools fascinating, however...
> What are these tools (or a sysadmin) looking for? Things that
someone might be
> able to have a "quickie" scan of routine logs (syslog, message files) when
> "special" logging from wrappers and such is not available nor (on that system
> at that time) any of these useful tools?
> For example, scanning /var/adm/message files for lines containing:
> LOGIN FAILURES
> attempt
> sendmail
> connection from bad port
> su:
> SECURITY ALERT
> failed
> What else would "give the show away"?
> Jim Meritt
One problem here is that the knowledgable hacker also knows where to
look and will clean up after/during the attack. Therefore wrappers
and secondary logging to an alternate host is a more secure way (note
I say more secure and not secure) of ensuring audit trails are valid.
