[plug] [Fwd: Re: David Conran's talk]

[Jeremy Malcolm]

-----BEGIN PGP SIGNED MESSAGE-----

> Question I have is how does one detect if the network has been 
> comprised?  I
> check logs on a daily basis, but exactly what am I supposed to be
looking
> for?

I guess it is true that logs aren't that useful for determining
whether a compromise has actually occurred.  For one thing, if you
have a root compromise then you can't trust your log files anyway. 
The logs are more useful to find out things like where portscans are
coming from, before they succeed.

Tripwire is more useful in finding out whether you have been
compromised, because it compares checksums of all your files to see if
any of them have changed.  The biggest problem with tripwire is that
for proper security your tripwire database has to be on a (hardware)
read-only medium, which is inconvenient when your machine is remote.

Speaking of which, recently tripwire has been telling me that /dev/log
has changed.  This has got me worried.  Does anyone know what /dev/log
does and whether a change to that file could be indicative of a
compromise?

- -- 
JEREMY MALCOLM Jeremy at Malcolm.wattle.id.au http://malcolm.wattle.id.au
SIG of the day: [x] Contact  [ ] Web  [ ] PGP  [ ] Taglines #1  [ ] #2
Residence: 208/112 Mounts Bay Road, West Perth, Western Australia 6005
Phone: +61-8-9226 0689 (H), +61-8-9325 4400 (W) | Fax: +61-8-9421 1762
Mobile: 0419 911 079 | Email: jmm at proctors.com.au info at terminus.net.au
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQB1AwUBOUMG/L/mBljD2JABAQFwCwL/dOFsuLxOiw+ieVSrxBSAg3wVhTRSYQiW
fxN1E4lG3GlD7prHzsiFDlhwncPPJbvvroLwhJncTEywWnRMDsj2yLS3K1aLaT+g
jSaTRO1AdIxjplTda9TCX8rGNDUPEpXU
=MLr0
-----END PGP SIGNATURE-----