[771] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Dwight Hubbard)
Mon Nov 25 18:15:15 1996
From: "Dwight Hubbard" <Dwight.Hubbard@mci.com>
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
Date: Mon, 25 Nov 1996 09:44:35 -0600
Reply-To: ids@uow.edu.au
Why not just log everything to write once media such as a Worm drive...
I also believe there is some help in using "security through obscurity",
whereby you place wrapper logs etc. in a logfile where a whole lot of
irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
...I mean while we are on the issue of "more secure". Nothing is, of
course.
Tor.
>
> One problem here is that the knowledgable hacker also knows where to
> look and will clean up after/during the attack. Therefore wrappers
> and secondary logging to an alternate host is a more secure way (note
> I say more secure and not secure) of ensuring audit trails are valid.
