Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Snort logs as evidence in court

From: Greg Herlein <gherlein () herlein com>
Date: Sat, 22 Dec 2001 10:00:37 -0800 (PST)
Just wondering if we can present the snort logs as evidence
in a court for attempted/break ins? Will law enforcement
agencies take this logs as evidence and take action on the
offenders?


If you are serious about this, you have to make it a part of your
regular practice.  I've read that if you dump your logs to a line
printer in real time and then systematically, regularly review
those logs and sign and date them to indicate that you reviewed
them, they become of a nature that is much more presentable as
evidence.

Now, one could argue that printed form is lame, given the volumes
etc.  I would suspect that if you signed the logs digitally and
then burned them to CDROM - ie, to a non-editable form - that it
would accomplish the same thing.  Also, it's best if several
people sign for the review.

For a NOC I staffed and managed as part of an online
e-commerce-like system, I had the NOC manager review then route
to me, then I signed and routed to the VP.  After all sign-offs
they were filed for 90 days and then rotated out to long-term
storage.  The whole system was designed specifically to enhance
credibility for evidence purposes.

We dumped snort to syslog locally and over the net to a log
server that dumped to a line printer (really hard to erase the
logs off that line printer, I might add, even if they did ever
hack the system!).  The line printer was in a lockable
"silencing" enclosure and printed on wide paper.  The printer was
in a server room that was either staffed or locked at all times.
There was a written procedure for how this all was supposed to
work.  It showed effort to formalize the process and make it a
routine part of doing business.

It was never tested in court thank goodness, but I still feel
that is the best plan if you are operating in a fashion where you
may want to use the logs as evidence - criminally or as part of a
civil action.

I am not a lawyer, please do not construe this as any advice -
just what I have done in the past and my opinion.  :)

Greg


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: