[820] in Intrusion Detection Systems
RE: Signs of an Intruder
daemon@ATHENA.MIT.EDU (The Particle Son)
Fri Dec 27 01:34:06 1996
Date: Tue, 17 Dec 1996 15:19:19 -0500 (EST)
From: The Particle Son <kmfdm@tesla.netline.net>
To: Al Venz <venz@psa.pencom.com>
Cc: ids@uow.edu.au
In-Reply-To: <Pine.SOL.3.91.961211115325.3993F-100000@psisa.com>
Reply-To: ids@uow.edu.au
On Wed, 11 Dec 1996, Al Venz wrote:
> Howdy,
>
> Just a couple comments. I agree paper logging is very safe, as dictated
> in"The Cuckoo's Egg," but I also remember reading in that book that Cliff
> ran into some paper jam problems, so that's one thing to keep in mind,
> phyisical reliablity of your logs. Another one is cost, how much paper
> would it take for a major ISP to log all connections? What if I knew
> they were logging to paper so I intentional created connection after
> connection, possibly legitimate connections, in order to use up there
> finite amount of paper before attacking for real? Now that ISP gets a
> call from another one letting them know they'd been attacked from a
> particular site, who's the unlucky sould who manual "greps" all
> connections, attempted or made, from that site, or sites similar.
>
> My point is that paper logging sounds cool but is often unrealistic. If
> it is realistic in your scenario, more power to you.
>
> As for the caveman attacking my site, I guess I should ignore him/her and
> only try to stop the high-tech folks that keep up with the latest bugs.
> Is there a mailing list that tells me when a security hole is considered
> old so I can quit checking on it? Personally I think it's a good idea to
> stick to the "paranoid" theme and check for *all* known problems. Maybe
> somebody has a program that goes through hundreds of known holes/bugs and
> tries to exploit them all. If that were the case the "wiz" "debug"
> attempts may come first and give me an early warning people are attacking.
>
> See ya,
> Al
>
> P.S. What are the actual odds on those "chances" you refer to, maybe we
> can all make some money in Vegas on this. :-)
>
> On Thu, 5 Dec 1996, BlackHeart wrote:
>
> > It would seem to me the most logical thing to do is to have a print log of
> > all port connections, including the site it is coming from. Sure, it is
> > definitely possibly that logs may be altered, but it's pretty hard to role
> > back the paper...
> >
> > Another interesting point that I've seen in this discussion is looking for
> > attempted commands like "wiz" and "debug"... chances are, if someone is
> > attempting these commands, they have either lived in a cave for the past
> > decade or have no idea what they are doing... what version of sendmail
> > actually contained the "wizard" backdoor? I know that it was fixed on most
> > systems as early as 1988, when the infamous worm used it as a method of
> > security breach... but anyways, i digress... later.
> >
> > -blak
> >
>
That's why if you have a printer spooling logs you don't tell anyone. If
someone knows this and does that, then you have a good idea that the
person doing it is in close relation to you or one of your friends or
associates. Regardless, it's not a good idea to print out it all. I
hacked my logging daemons to give me a new emergency class for racy
connections, and that is what's logged. Everything else is spooled.
There is always a question of priority or necessity when it comes to
print logging.
Synth
anarchy@wasteland.org
