[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IDS: intruder clues

To: "Meritt, Jim" <Jim.Meritt@wang.com>
Subject: Re: IDS: intruder clues
From: Lance Spitzner <lance@spitzner.net>
Date: Tue, 25 Apr 2000 13:08:06 -0500 (CDT)
Cc: ids@uow.edu.au

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
On Mon, 24 Apr 2000, Meritt, Jim wrote:

> If a corporation/organization/whatever has NOT implemented an IDS, what do
> you (the reader specifically) look for/at during after-the-event intrusion
> detection?
> 
> I'm looking for individual responses other than real-time clues (the system
> isn't even connected to the network any more) and the multitude of log files
> (a system may, or may not, have varied logging enabled)

I have several papers explaining what black-hats did to my honeypots,
and how I reviewed the systems after-the-event for information.  You will
most likely find "Know Your Enemy:III" most helpful.

http://www.enteract.com/~lspitz/enemy3.html

Lance

Prev by Date: Re: IDS: intruder clues
Next by Date: IDS: Scanning on tcp port 27374
Prev by thread: Re: IDS: intruder clues
Next by thread: IDS: Scanning on tcp port 27374
Index(es):
- Date
- Thread