[777] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Quantum)
Wed Nov 27 06:36:52 1996
Date: Tue, 26 Nov 1996 05:02:29 -0500 (EST)
From: Quantum <quantum@obsidian.cse.fau.edu>
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
In-Reply-To: <01BBDAB5.45A1FBC0@dhlaptop.cr.mci.com>
Reply-To: ids@uow.edu.au
or a more plusible idea is to log to paper.
>
> Why not just log everything to write once media such as a Worm drive...
>
> I also believe there is some help in using "security through obscurity",
> whereby you place wrapper logs etc. in a logfile where a whole lot of
> irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
>
> ...I mean while we are on the issue of "more secure". Nothing is, of
> course.
>
> Tor.
>
> >
> > One problem here is that the knowledgable hacker also knows where to
> > look and will clean up after/during the attack. Therefore wrappers
> > and secondary logging to an alternate host is a more secure way (note
> > I say more secure and not secure) of ensuring audit trails are valid.
>
