[767] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Jonathan M. Bresler)
Mon Nov 25 17:51:15 1996
To: ids@uow.edu.au
In-Reply-To: Your message of "Thu, 21 Nov 1996 13:34:36 +0100."
<Pine.GSO.3.93.961121133218.8599D-100000@pilt.online.no>
Date: Sun, 24 Nov 1996 09:53:37 -0500
From: "Jonathan M. Bresler" <jmb@FRB.GOV>
Reply-To: ids@uow.edu.au
log to a different host. preferably one that cannot transmit
onto the network (cut the transmit lead on the cable. syslog works
thru UDP and does not need or require acknowlegements).
no reason to bloat the logs that you have to work with.
jmb
>
>I also believe there is some help in using "security through obscurity",
>whereby you place wrapper logs etc. in a logfile where a whole lot of
>irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
>
>...I mean while we are on the issue of "more secure". Nothing is, of
>course.
>
>Tor.
>
>>
>> One problem here is that the knowledgable hacker also knows where to
>> look and will clean up after/during the attack. Therefore wrappers
>> and secondary logging to an alternate host is a more secure way (note
>> I say more secure and not secure) of ensuring audit trails are valid.
