Full Disclosure: Re: Linux - Indicators of compromise

[Bzzz <lazyvirus () gmx com>]

On Sat, 14 Jul 2012 12:46:50 +0000
"Ali Varshovi " <ali.varshovi () hotmail com> wrote:

> Does anyone have any guidelines/useful material on analysis logs
> of a Linux machine to detect signs of compromise? The data
> collection piece is not a challenge as a lot of useful information
> can be captured using commands and some scripts. I'm wondering if
> there is any systematic approach to analyze the collected logs?
> Most of the materials I've seen are more aligned to malware and
> rootkit detection which is not the only concern apparently.
Hi Ali,

I'd say send log to another machine, use a "checksumator" (like
tripwire), store its computation files on an external storage 
device and when you check the system with it, boot it on a liveCD.

And as G.Baribault says, each compromised system tries to store its
findings elsewhere on the Internet (often encrypted these days), so
a fine traffic analyzer would be a good thing; but is there a very
good one working out of the box, I don't know!? (beware it can be
very disk space greedy).

JY
-- 
< Overfiend> well, excellent.  I get to tear someone a new asshole.
                -- in #debian-devel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/