> One cannot prevent intrusions...you're right. > However, a few simple steps can make it such that an > intrusion is exceedingly difficult. Given that, if > you do get "hacked", it's highly likely that > near-real-time EventLog monitoring systems won't be of > any use? Why? Well, the first thing one would want > to do is disable logging, which is easy to do w/ auditpol.exe... Sure - but if you review the logs often (e.g. all 5 seconds), chances are very high that you will see the evidence before it is deleted/disabled. If you look at current attack patterns, the normally require multiple steps to break into the system, and this is your chance. Also, there are also lazy and incompetent attackers out there, which definitely gives you a better chance in catching them with such analysis... But I agree, it is only a building block. Maybe some think its not worth placing it into your defense. IMHO this doesn't disqualify those who do so with valid reasoning (if they know it ;)). Others may opt to include it ;) Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:06:03 PST