Re: [logs] log review policies

From: peff-loganalat_private
Date: Thu Oct 18 2001 - 11:39:28 PDT

  • Next message: peff-loganalat_private: "Re: [logs] log review policies"

    On Thu, 18 Oct 2001, Ralf Hildebrandt wrote:
    
    > On Wed, Oct 17, 2001 at 09:45:03PM -0400, peff-loganalat_private wrote:
    >
    > > - attacker breaks into mail server
    > > - attacker deletes logs from mail server
    > > - admin has no idea that attack occurred
    >
    > - admin was not running a data intergrity checker like tripwire or aide.
    >   Uh.
    
    Two points:
    
    - How do you run tripwire on log data? You don't know what it's supposed
      to look like.
    
    - How do you review your tripwire logs? I hope not by tripwiring your
      mail server, then mailing the output of tripwire to yourself. It's
      then subject to the same attack (in fact, the logs I'm talking about
      are typically tripwire-style reports -- something that indicates an
      attacker's presence that they want to erase).
    
    -Jeff
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 13:45:44 PDT