RE: [logs] RE: NT Event Log and Web Server Attacks

From: H C (keydet89at_private)
Date: Fri Jan 17 2003 - 11:26:42 PST

  • Next message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    Like I said, I applaud your efforts.  Maybe you'd like
    to discuss some of the other things that I've worked
    on in the past, that may be of help.  
    I just think that due to the obscurity of the
    EventLog, particularly on NT and 2K platforms, this
    can be a bit more trouble than it's worth.  
    One cannot prevent're right. 
    However, a few simple steps can make it such that an
    intrusion is exceedingly difficult.  Given that, if
    you do get "hacked", it's highly likely that
    near-real-time EventLog monitoring systems won't be of
    any use?  Why?  Well, the first thing one would want
    to do is disable logging, which is easy to do w/
    --- Rainer Gerhards <rgerhardsat_private> wrote:
    > > Instead of reacting to an incident after it has
    > > happened, try preventing the incident, or making
    > it
    > > difficult for an incident to actually occur.
    > I fully agree on this. BUT: we all know we can not
    > totally prevent an
    > intrusion. So I am trying to setup some basic
    > (near-real time) rules
    > that will notify you when your other efforts have
    > been broken. This is
    > why I see "you hopefully will never see this event".
    > Rainer
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 21:53:34 PST