[797] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Dwight Hubbard)
Thu Dec 5 02:08:22 1996
From: Dwight Hubbard <dhubbard@mail.cedarnet.com>
To: "'ids@uow.edu.au'" <ids@uow.edu.au>
Date: Mon, 2 Dec 1996 08:29:26 -0600
Reply-To: ids@uow.edu.au
Exactly how would an intruder remove themselves from a log written to a write on
ly media. Or for that matter a laser printer??
----------
From: Diane Davidowicz[SMTP:diane_d@sun1.wwb.noaa.gov]
Sent: Monday, November 25, 1996 5:27 PM
To: ids@uow.edu.au
Subject: RE: Signs of an Intruder
> Why not just log everything to write once media such as a Worm drive...
This is on the right track and so is logging off to other systems as so
many of us know.
>
> I also believe there is some help in using "security through obscurity",
> whereby you place wrapper logs etc. in a logfile where a whole lot of
> irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
>
Wrong. The intruders with a clue know what to look for and remove themselves
promptly. Nothing is sacred on a system once it has intruders. Keep checksums
to detect what has changed and protect your logs by sending them off to
a secured environment.
Diane
