Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Auditing / Logging
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 12 Jan 2004 16:12:34 -0500 (EST)

On Mon, 12 Jan 2004, Don Parker wrote:

The simplest solution would be to simply log all activity using tcpdump in binary 
format. This decreases the file size, is faster, and allows you to manipulate it after. 
You can also input this binary log into any protocol analyzer afterwards as well ie: 
ethereal, etherpeek nx and the such. 

Doing the above also gives you and your client a copy of exactly what it is you have 
done during your pen test should there be any questions/complaints.

Which s great on the data being obtained, yyet fails to retain the nature
of the exact command that retrieved the data, so make sure one either
tee's allcommands to a file <date stamps can help here> or one runs script
or something.  This helps if one has data results that are similiar and
they need to know which command applies to which data, as well as make it
possible to dupe scenarios.


Ron DuFresne
        admin & senior security consultant:  sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]