[826] in Intrusion Detection Systems
Re: Signs of an Intruder
daemon@ATHENA.MIT.EDU (BJ Chippindale)
Fri Dec 27 01:38:10 1996
Date: Tue, 17 Dec 1996 18:07:35 GMT
From: bjc@haven.JPL.NASA.GOV (BJ Chippindale)
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
Folks:
> On Thu, 5 Dec 1996, "BlackHeart" wrote:
> > It would seem to me the most logical thing to do is to have a print log of
> > all port connections, including the site it is coming from. Sure, it is
> > definitely possibly that logs may be altered, but it's pretty hard to role
> > back the paper...
>
> The only problem with this is that you're going to get data overkill.
> And without computer readable media, there's no way to condense and
> process that information in a reasonable amount of time. Of course,
> if you're only interested in logging events, that's probably a good solution
> for you.
>
> > Another interesting point that I've seen in this discussion is looking for
> > attempted commands like "wiz" and "debug"... chances are, if someone is
> > attempting these commands, they have either lived in a cave for the past
> > decade or have no idea what they are doing... what version of sendmail
> > actually contained the "wizard" backdoor? I know that it was fixed on most
> > systems as early as 1988, when the infamous worm used it as a method of
> > security breach... but anyways, i digress... later.
>
> Actually, it's much more likely that if those commands are used,
> someone is running some sort of automated security scanner on your site.
> It's a good way to catch the unskilled tool-using attackers.
>
> Such an attack occurred at our site a few months ago.
> ---
> Mike Kienenberger Arctic Region Supercomputing Center
> Systems Analyst (907) 474-6842
> mkienenb@arsc.edu http://www.arsc.edu
>
> "Yes, in 6.3 we finally gave in to the security demands of some of our
> customers. It is a major pain in the neck" --Martin Knoblauch of Silicon
> Graphics GmbH referring to the change requiring that xhost access be
> explicitly enabled.
>
The problem with paper is that you get use too many trees, the best suggestion
that I have seen is that the log is simply out the serial port to a dedicated
PC that is set up to append it all to a file. No attacker can get control of
the PC. The worst they could do, if they spot the logging, is to send
additional trash to the log, flooding it and overwhelming the PC disk. They
can do the same thing to your printer anyway. If you want you can put a
filter process on the PC, which would become essentially a dedicated log
for your system or systems. With a program that sends trash messages to
the bit-bucket on the PC, recognizing valid input and filing it, you'd be
able to keep control of the problem of "flood" denial-of-service attacks
on the log device. The intelligent log can be made relatively immune to
these attacks, which is not true of either Paper or Write-Only CD.
very respectfully
BJ Chippindale
NSCAT Systems Administration
bjc@haven.jpl.nasa.gov
