[809] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Diane Davidowicz)
Thu Dec 12 05:24:56 1996
Date: Fri, 6 Dec 96 12:09:52 EST
From: Diane Davidowicz <diane_d@sun1.wwb.noaa.gov>
To: ids@uow.edu.au
Cc: dhubbard@mail.cedarnet.com
Reply-To: ids@uow.edu.au
>
> > Why not just log everything to write once media such as a Worm drive...
> This is on the right track and so is logging off to other systems as so
> many of us know.
> >
> > I also believe there is some help in using "security through obscurity",
> > whereby you place wrapper logs etc. in a logfile where a whole lot of
> > irrelevant logging goes too (for example, the ftp xferlog, or somesuch).
> >
> Wrong. The intruders with a clue know what to look for and remove themselves
> promptly. Nothing is sacred on a system once it has intruders. Keep checksums
> to detect what has changed and protect your logs by sending them off to
> a secured environment.
>
>
> Diane
>
Dwight said:
> Exactly how would an intruder remove themselves from a log written to a write on
> ly media. Or for that matter a laser printer??
You mean a write-once media. Write-only media might indicate I can go
back and change things.
The original poster was talking about two different things. One which he talks
about sending to a write-once media (printers, WORMs, whatever), which is
perfectly fine, but the second part he talks about writing to a "logfile"
where xferlog and things get logged to. This indicated to me that its on the
system disk and that the original poster was saying security through obsecurity
somehow works in this scenario. I was addressing this aspect of the post only.
Diane
