Like I said, I applaud your efforts. Maybe you'd like to discuss some of the other things that I've worked on in the past, that may be of help. I just think that due to the obscurity of the EventLog, particularly on NT and 2K platforms, this can be a bit more trouble than it's worth. One cannot prevent intrusions...you're right. However, a few simple steps can make it such that an intrusion is exceedingly difficult. Given that, if you do get "hacked", it's highly likely that near-real-time EventLog monitoring systems won't be of any use? Why? Well, the first thing one would want to do is disable logging, which is easy to do w/ auditpol.exe... --- Rainer Gerhards <rgerhardsat_private> wrote: > > Instead of reacting to an incident after it has > > happened, try preventing the incident, or making > it > > difficult for an incident to actually occur. > > I fully agree on this. BUT: we all know we can not > totally prevent an > intrusion. So I am trying to setup some basic > (near-real time) rules > that will notify you when your other efforts have > been broken. This is > why I see "you hopefully will never see this event". > > Rainer __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 21:53:34 PST