PaulDotCom mailing list archives
HIDS advice?
From: mike.patterson at unb.ca (Mike Patterson)
Date: Wed, 19 Aug 2009 20:38:04 -0400
Ron Gula wrote on 8/18/09 10:22 PM:
I'm curious how many people enable process accounting on UNIX or Windows and feed these to their SIM? When you start seeing tcpdump being run by user 'www' at 2:00 am, things can get interesting.
We've had process accounting help us immeasurably in the past. Intruder carefully cleaned up after himself, remembered to clear logs, wipe out shell history, etc etc. He didn't clear out the process accounting logs though, and that told us everything. So awesome. I wish everybody would do that. Of course, I actually wish people wouldn't set things up such that they get pwned in the first place, but that's a nice second best. Mike -- When angry, count four; when very angry, swear. - Mark Twain
Current thread:
- HIDS advice? lists at truthisfreedom.org.uk (Aug 17)
- HIDS advice? Erik Harrison (Aug 17)
- HIDS advice? Jason Wood (Aug 17)
- <Possible follow-ups>
- HIDS advice? Christopher Rimondi (Aug 18)
- HIDS advice? Ron Gula (Aug 18)
- HIDS advice? Joe Magee (Aug 19)
- HIDS advice? Ron Gula (Aug 20)
- HIDS advice? Dale Stirling (Aug 20)
- HIDS advice? Ron Gula (Aug 18)
- HIDS advice? Mike Patterson (Aug 19)