FW: OK, I've been hacked, now what?

[kevin.sheldrake () baedsl co uk]

I assume that Tripwire tracks changes to files.  How does it
distinguish between normal,
everyday system usage and unauthorised access?  Is it available
for NT Server 4, NT
Workstation 4, DEC Unix, Solaris?

Kevin Sheldrake
CCIS Prototypes and Demonstrations
British Aerospace Defence Systems
[+44 | 0] 1202 408035, kevin.sheldrake () baedsl co uk

> -----Original Message-----
> From: Peter Mayne [SMTP:Peter.Mayne () digital com]
> Sent: 12 May 1999 04:08
>
>
> Tripwire will do pretty reasonable job of telling you what's
> changed. This
> need not be expensive.
>
> PJDM
> ----
> Peter Mayne, Compaq Computer Australia, Canberra, ACT
> These are my opinions, and have nothing to do with Compaq.
> A room without books is like a body without a soul. - Cicero
>
> > -----Original Message-----
> > From:       kevin.sheldrake () baedsl co uk
> [SMTP:kevin.sheldrake () baedsl co uk]
> > Sent:       Tuesday, May 11, 1999 6:38 PM
> > To: firewall-wizards () nfr net
> > Subject:    RE: OK, I've been hacked, now what?            
> >
> >
> > After an attack has been discovered, the victim (company)
> must
> > investigate
> > the damage to the liberated system.  This could involve
> manually
> > checking
> > all files in all directories for alteration.  Following this,
> the
> > system should
> > then be checked in order to detect any external copying of
> files
> > (this could
> > involve the system logs or a network traffic monitor.)
> >
> > These two activities are expensive.