Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Re: intruder clues

From: lance () spitzner net (Lance Spitzner)
Date: Tue, 25 Apr 2000 13:08:06 -0500 (CDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Mon, 24 Apr 2000, Meritt, Jim wrote:


If a corporation/organization/whatever has NOT implemented an IDS, what do
you (the reader specifically) look for/at during after-the-event intrusion
detection?

I'm looking for individual responses other than real-time clues (the system
isn't even connected to the network any more) and the multitude of log files
(a system may, or may not, have varied logging enabled)


I have several papers explaining what black-hats did to my honeypots,
and how I reviewed the systems after-the-event for information.  You will
most likely find "Know Your Enemy:III" most helpful.

http://www.enteract.com/~lspitz/enemy3.html

Lance
Previous By Date Next
Previous By Thread Next

Current thread: