[821] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (Troy)
Fri Dec 27 01:34:44 1996
Date: Tue, 17 Dec 1996 17:15:50 -0500
From: infoline@hutton.net (Troy)
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Mike Kienenberger wrote:
>
> On Thu, 5 Dec 1996, "BlackHeart" wrote:
> > It would seem to me the most logical thing to do is to have a print log of
> > all port connections, including the site it is coming from. Sure, it is
> > definitely possibly that logs may be altered, but it's pretty hard to role
> > back the paper...
>
> The only problem with this is that you're going to get data overkill.
> And without computer readable media, there's no way to condense and
> process that information in a reasonable amount of time. Of course,
> if you're only interested in logging events, that's probably a good solution
> for you.
IN addition You can write a simple log viewer to extract the known signs
of intrusion within your log files, as for size...just gzip with the
days date and move them to tape.
>
> > Another interesting point that I've seen in this discussion is looking for
> > attempted commands like "wiz" and "debug"... chances are, if someone is
> > attempting these commands, they have either lived in a cave for the past
> > decade or have no idea what they are doing... what version of sendmail
> > actually contained the "wizard" backdoor? I know that it was fixed on most
> > systems as early as 1988, when the infamous worm used it as a method of
> > security breach... but anyways, i digress... later.
>
> Actually, it's much more likely that if those commands are used,
> someone is running some sort of automated security scanner on your site.
> It's a good way to catch the unskilled tool-using attackers.
>
> Such an attack occurred at our site a few months ago.
> ---
> Mike Kienenberger Arctic Region Supercomputing Center
> Systems Analyst (907) 474-6842
> mkienenb@arsc.edu http://www.arsc.edu
>
> "Yes, in 6.3 we finally gave in to the security demands of some of our
> customers. It is a major pain in the neck" --Martin Knoblauch of Silicon
> Graphics GmbH referring to the change requiring that xhost access be
> explicitly enabled.
--
Troy Billington
SysOp: InfoLine BBS systems
(305) 598-2679 Miami, Fl
"http://www.hutton.net/infoline"
