[778] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Diane Davidowicz)
Wed Nov 27 06:37:39 1996
Date: Mon, 25 Nov 96 18:27:34 EST
From: Diane Davidowicz <diane_d@sun1.wwb.noaa.gov>
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
> Why not just log everything to write once media such as a Worm drive...
This is on the right track and so is logging off to other systems as so
many of us know.
>
> I also believe there is some help in using "security through obscurity",
> whereby you place wrapper logs etc. in a logfile where a whole lot of
> irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
>
Wrong. The intruders with a clue know what to look for and remove themselves
promptly. Nothing is sacred on a system once it has intruders. Keep checksums
to detect what has changed and protect your logs by sending them off to
a secured environment.
Diane
