Snort mailing list archives
RE: Snort logs as evidence in court
From: Greg Herlein <gherlein () herlein com>
Date: Sat, 22 Dec 2001 10:00:37 -0800 (PST)
Just wondering if we can present the snort logs as evidence in a court for attempted/break ins? Will law enforcement agencies take this logs as evidence and take action on the offenders?
If you are serious about this, you have to make it a part of your regular practice. I've read that if you dump your logs to a line printer in real time and then systematically, regularly review those logs and sign and date them to indicate that you reviewed them, they become of a nature that is much more presentable as evidence. Now, one could argue that printed form is lame, given the volumes etc. I would suspect that if you signed the logs digitally and then burned them to CDROM - ie, to a non-editable form - that it would accomplish the same thing. Also, it's best if several people sign for the review. For a NOC I staffed and managed as part of an online e-commerce-like system, I had the NOC manager review then route to me, then I signed and routed to the VP. After all sign-offs they were filed for 90 days and then rotated out to long-term storage. The whole system was designed specifically to enhance credibility for evidence purposes. We dumped snort to syslog locally and over the net to a log server that dumped to a line printer (really hard to erase the logs off that line printer, I might add, even if they did ever hack the system!). The line printer was in a lockable "silencing" enclosure and printed on wide paper. The printer was in a server room that was either staffed or locked at all times. There was a written procedure for how this all was supposed to work. It showed effort to formalize the process and make it a routine part of doing business. It was never tested in court thank goodness, but I still feel that is the best plan if you are operating in a fashion where you may want to use the logs as evidence - criminally or as part of a civil action. I am not a lawyer, please do not construe this as any advice - just what I have done in the past and my opinion. :) Greg _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort logs as evidence in court Rajkumar S. (Dec 22)
- RE: Snort logs as evidence in court Jyri Hovila (Dec 22)
- RE: Snort logs as evidence in court Greg Herlein (Dec 22)
- RE: Snort logs as evidence in court Jyri Hovila (Dec 22)