On Thu, 18 Oct 2001, Ralf Hildebrandt wrote: > On Wed, Oct 17, 2001 at 09:45:03PM -0400, peff-loganalat_private wrote: > > > - attacker breaks into mail server > > - attacker deletes logs from mail server > > - admin has no idea that attack occurred > > - admin was not running a data intergrity checker like tripwire or aide. > Uh. Two points: - How do you run tripwire on log data? You don't know what it's supposed to look like. - How do you review your tripwire logs? I hope not by tripwiring your mail server, then mailing the output of tripwire to yourself. It's then subject to the same attack (in fact, the logs I'm talking about are typically tripwire-style reports -- something that indicates an attacker's presence that they want to erase). -Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:45:44 PDT