Re: Linux - Indicators of compromise

["Ali Varshovi " <ali.varshovi () hotmail com>]

Hi Jerry,

I want to do the analysis on servers/systems that are suspected to be infected.

Thanks,
Ali
.
---------------------------------------------
Sent from my BlackBerry device

-----Original Message-----
From: Jerry Bell <jerry () riskologist com>
Date: Tue, 17 Jul 2012 00:02:29 
To: <ali.varshovi () hotmail com>
Cc: <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] Linux - Indicators of compromise


Hello Ali. 

Is your question about investigating a set of servers you suspect may be infected, or setting up a steady state 
monitoring strategy to alert when/if a host is compromised?  

Regards,

Jerry


On Jul 14, 2012, at 8:46 AM, "Ali Varshovi " <ali.varshovi () hotmail com> wrote:

> Greetings FD,
>
> Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? 
> The data collection piece is not a challenge as a lot of useful information can be captured using commands and some 
> scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've 
> seen are more aligned to malware and rootkit detection which is not the only concern apparently.
>
> Thanks,
> Ali
> .
> ---------------------------------------------
> Sent from my BlackBerry device
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/