On Thu, Oct 18, 2001 at 02:39:28PM -0400, peff-loganalat_private wrote: > - How do you run tripwire on log data? You don't know what it's supposed > to look like. I assumed that an attacker would leave more traces than just altered logfiles. > - How do you review your tripwire logs? I hope not by tripwiring your > mail server, then mailing the output of tripwire to yourself. It's > then subject to the same attack (in fact, the logs I'm talking about > are typically tripwire-style reports -- something that indicates an > attacker's presence that they want to erase). Well, one has to walk over and put in the floppy with the DB, then check it. -- Ralf Hildebrandt Tel. +49 (0)30-450 570-155 Fax. +49 (0)30-450 570-916 All software sucks. Everybody is considered a jerk by somebody. The sun rises, the sun sets, the Sun crashes, lusers are LARTed, BOFHs get drunk. It is the way of things. --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 06:42:07 PDT