IDS mailing list archives

Re: how to verify whether an attack attempt is successful?

From: "Kurt Seifried" <bt () seifried org>
Date: Wed, 15 Jan 2003 13:27:19 -0800

Is there any technology developed in this direction?


If you mean reactive technology then there are things like host based IDS
(tripwire, syscall logging, etc.). Generally if you get a report like
"/etc/passwd changed" or "seteuid executed by user nobody" that's a good
indication your system got penetrated. This is why people should log
successful as well as unsuccessful security events (logins, file accesses,
etc.).


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

Current thread:

how to verify whether an attack attempt is successful? Yan Zhai (Jan 15)
- Re: how to verify whether an attack attempt is successful? Huagang XIE (Jan 16)
- Re: how to verify whether an attack attempt is successful? Jose Nazario (Jan 16)
- Re: how to verify whether an attack attempt is successful? Kurt Seifried (Jan 16)
- <Possible follow-ups>
- RE: how to verify whether an attack attempt is successful? detmar . liesen (Jan 17)
  - RE: how to verify whether an attack attempt is successful? Ron Gula (Jan 20)
  - Re: how to verify whether an attack attempt is successful? Scott Wimer (Jan 21)
- Re: how to verify whether an attack attempt is successful? Yan Zhai (Jan 19)