RE: [logs] RE: NT Event Log and Web Server Attacks

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Jan 17 2003 - 11:53:03 PST

  • Next message: Rainer Gerhards: "[logs] RE: NT Event Log and Web Server Attacks"

    > One cannot prevent're right. 
    > However, a few simple steps can make it such that an
    > intrusion is exceedingly difficult.  Given that, if
    > you do get "hacked", it's highly likely that
    > near-real-time EventLog monitoring systems won't be of
    > any use?  Why?  Well, the first thing one would want
    > to do is disable logging, which is easy to do w/ auditpol.exe...
    Sure - but if you review the logs often (e.g. all 5 seconds), chances
    are very high that you will see the evidence before it is
    deleted/disabled. If you look at current attack patterns, the normally
    require multiple steps to break into the system, and this is your
    Also, there are also lazy and incompetent attackers out there, which
    definitely gives you a better chance in catching them with such
    But I agree, it is only a building block. Maybe some think its not worth
    placing it into your defense. IMHO this doesn't disqualify those who do
    so with valid reasoning (if they know it ;)). Others may opt to include
    it ;)
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Sat Jan 18 2003 - 22:06:03 PST